Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1541813
MD5:	8412121d3d892e5ca7128d1173835c1b
SHA1:	69398fa874fe2ea465313f1bda84d9d7ae6c0fe4
SHA256:	3a4db3a0fc3ba4562ae011a747d31937479db2838cc8c5c99c9e799bd2a4a0a4
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7136 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8412121D3D892E5CA7128D1173835C1B)

taskkill.exe (PID: 4888 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 716 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3064 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4396 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6088 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5700 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1404 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 404 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6244 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a783a8a-023a-4f1e-9dfc-eb9d41ddebd8} 404 "\\.\pipe\gecko-crash-server-pipe.404" 1bbbec6db10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7600 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3200 -parentBuildID 20230927232528 -prefsHandle 2156 -prefMapHandle 3768 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0994ad6b-3f15-49ad-97dc-6fd7db8108a2} 404 "\\.\pipe\gecko-crash-server-pipe.404" 1bbd1255210 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7436 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5028 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5016 -prefsLen 33093 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d87c2df-334f-4077-865a-6233cc61f1dd} 404 "\\.\pipe\gecko-crash-server-pipe.404" 1bbce984510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2230603947.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 7136	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0046EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0046EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0046ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0046EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0045AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0045AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00489576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00489576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2169198561.00000000004B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_95095e59-d
Source: file.exe, 00000000.00000000.2169198561.00000000004B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_25cf628e-4
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2586debf-4
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9b56d7b1-7

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000016F15D643F7 NtQuerySystemInformation,		18_2_0000016F15D643F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000016F15D84432 NtQuerySystemInformation,		18_2_0000016F15D84432

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0045D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0045D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00451201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00451201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0045E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0045E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003FBF40	0_2_003FBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00462046	0_2_00462046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F8060	0_2_003F8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00458298	0_2_00458298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042E4FF	0_2_0042E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042676B	0_2_0042676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00484873	0_2_00484873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003FCAF0	0_2_003FCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CAA0	0_2_0041CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040CC39	0_2_0040CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00426DD9	0_2_00426DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B119	0_2_0040B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F91C0	0_2_003F91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411394	0_2_00411394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041781B	0_2_0041781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F7920	0_2_003F7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040997D	0_2_0040997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417A4A	0_2_00417A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00443CD2	0_2_00443CD2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417CA7	0_2_00417CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047BE44	0_2_0047BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429EEE	0_2_00429EEE
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000016F15D643F7	18_2_0000016F15D643F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000016F15D84432	18_2_0000016F15D84432
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000016F15D84B5C	18_2_0000016F15D84B5C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_0000016F15D84472	18_2_0000016F15D84472

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003F9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00410A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/38@74/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004637B5 GetLastError,FormatMessageW,

0_2_004637B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004510BF AdjustTokenPrivileges,CloseHandle,		0_2_004510BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004516C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004651CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0045D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0045D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0046648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_003F42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2385260981.000001BBDB13F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2385260981.000001BBDB182000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2366424227.000001BBDB13B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2385260981.000001BBDB13F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2366424227.000001BBDB13B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2385260981.000001BBDB13F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2366424227.000001BBDB13B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2385260981.000001BBDB13F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2366424227.000001BBDB13B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2385260981.000001BBDB13F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2366424227.000001BBDB13B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2385260981.000001BBDB13F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2366424227.000001BBDB13B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2385260981.000001BBDB13F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2366424227.000001BBDB13B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2385260981.000001BBDB13F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2366424227.000001BBDB13B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2385260981.000001BBDB13F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2366424227.000001BBDB13B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	Virustotal: Detection: 40%
Source: file.exe	ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a783a8a-023a-4f1e-9dfc-eb9d41ddebd8} 404 "\\.\pipe\gecko-crash-server-pipe.404" 1bbbec6db10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3200 -parentBuildID 20230927232528 -prefsHandle 2156 -prefMapHandle 3768 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0994ad6b-3f15-49ad-97dc-6fd7db8108a2} 404 "\\.\pipe\gecko-crash-server-pipe.404" 1bbd1255210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5028 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5016 -prefsLen 33093 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d87c2df-334f-4077-865a-6233cc61f1dd} 404 "\\.\pipe\gecko-crash-server-pipe.404" 1bbce984510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a783a8a-023a-4f1e-9dfc-eb9d41ddebd8} 404 "\\.\pipe\gecko-crash-server-pipe.404" 1bbbec6db10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3200 -parentBuildID 20230927232528 -prefsHandle 2156 -prefMapHandle 3768 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0994ad6b-3f15-49ad-97dc-6fd7db8108a2} 404 "\\.\pipe\gecko-crash-server-pipe.404" 1bbd1255210 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5028 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5016 -prefsLen 33093 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d87c2df-334f-4077-865a-6233cc61f1dd} 404 "\\.\pipe\gecko-crash-server-pipe.404" 1bbce984510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2425089664.000001BBD3401000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2425089664.000001BBD3401000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003F42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00410A76 push ecx; ret

0_2_00410A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0040F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00481C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00481C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95203

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_0000016F15D643F7 rdtsc

18_2_0000016F15D643F7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0045DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042C2A2 FindFirstFileExW,	0_2_0042C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004668EE FindFirstFileW,FindClose,	0_2_004668EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0046698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0045D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0045D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00469642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00469642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00469B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00469B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00465C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00465C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003F42DE

Source: firefox.exe, 00000010.00000002.4038876922.000001991B26A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.4042775204.0000016F15C60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.4037198001.0000016F153FA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.4037703732.00000240B1F3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.4042891078.000001991B61A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.4043815233.000001991B700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*
Source: firefox.exe, 00000012.00000002.4042775204.0000016F15C60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: firefox.exe, 00000012.00000002.4042775204.0000016F15C60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: firefox.exe, 00000014.00000002.4038917526.00000240B1FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000010.00000002.4043815233.000001991B700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_0000016F15D643F7 rdtsc

18_2_0000016F15D643F7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0046EAA2 BlockInput,

0_2_0046EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00422622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00422622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00414CE8 mov eax, dword ptr fs:[00000030h]

0_2_00414CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00450B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00450B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00422622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00422622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004109D5 SetUnhandledExceptionFilter,	0_2_004109D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00410C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00410C21

Source: C:\Users\user\Desktop\file.exe

0_2_00451201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00432BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00432BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0045B226 SendInput,keybd_event,

0_2_0045B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004722DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00450B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00451663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00451663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00410698 cpuid

0_2_00410698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00468195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00468195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0044D27A GetUserNameW,

0_2_0044D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0042B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003F42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2230603947.0000000000D81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7136, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.2230603947.0000000000D81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7136, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00471204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00471204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00471806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00471806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	40%	Virustotal		Browse
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.193	true	false		unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false		unknown
services.addons.mozilla.org	151.101.1.91	true	false		unknown
dyna.wikimedia.org	185.15.59.224	true	false		unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false		unknown
contile.services.mozilla.com	34.117.188.166	true	false		unknown
youtube.com	142.250.185.238	true	false		unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	216.58.206.46	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
reddit.map.fastly.net	151.101.1.140	true	false		unknown
ipv4only.arpa	192.0.0.171	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
push.services.mozilla.com	34.107.243.93	true	false		unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	false		unknown
spocs.getpocket.com	unknown	unknown	false		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false		unknown
support.mozilla.org	unknown	unknown	false		unknown
firefox.settings.services.mozilla.com	unknown	unknown	false		unknown
www.youtube.com	unknown	unknown	false		unknown
www.facebook.com	unknown	unknown	false		unknown
detectportal.firefox.com	unknown	unknown	false		unknown
normandy.cdn.mozilla.net	unknown	unknown	false		unknown
shavar.services.mozilla.com	unknown	unknown	false		unknown
www.wikipedia.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000014.00000002.4040385636.00000240B25C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2310472639.000001BBD0269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345016035.000001BBD0269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2379434891.000001BBCE872000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2329997345.000001BBD7046000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376399467.000001BBD7043000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245454769.000001BBD7046000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2375205011.000001BBD7046000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000014.00000002.4040385636.00000240B258E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2387868041.000001BBD752D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2399117175.000001BBD752D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2412065007.000001BBD7531000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2420573497.000001BBD7532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2400112818.000001BBD71F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388754069.000001BBD71F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2402306887.000001BBD6E3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2409134559.000001BBD27BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2220202028.000001BBCEC52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219631622.000001BBCEA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219783921.000001BBCEC0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219957154.000001BBCEC31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2251103318.000001BBD6EFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2367756360.000001BBD6EFA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2401152622.000001BBD6FC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2220202028.000001BBCEC52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219631622.000001BBCEA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219783921.000001BBCEC0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219957154.000001BBCEC31000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2371100845.000001BBD2255000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2404728882.000001BBD2255000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2393565339.000001BBD2255000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2219631622.000001BBCEA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219783921.000001BBCEC0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219957154.000001BBCEC31000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2409134559.000001BBD2777000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2387868041.000001BBD752D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2399117175.000001BBD752D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2412065007.000001BBD7531000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2420573497.000001BBD7532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=https://ac	firefox.exe, 00000014.00000002.4039942011.00000240B24E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2407231463.000001BBDA799000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2367567309.000001BBDA663000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2401152622.000001BBD6FD4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368541138.000001BBD236E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2391570824.000001BBD236E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.4039694087.0000016F15703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.4040385636.00000240B250C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2309168203.000001BBD0299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308491115.000001BBD027B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2409134559.000001BBD2777000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2400112818.000001BBD71F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388754069.000001BBD71F0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2407231463.000001BBDA799000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000014.00000002.4040385636.00000240B25C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2249351980.000001BBD71FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251103318.000001BBD6ED1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2308491115.000001BBD027B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2333674984.000001BBD05BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2407276182.000001BBDA752000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2407231463.000001BBDA799000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2417257722.000001BBD0E99000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2401152622.000001BBD6FD4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 00000014.00000002.4040385636.00000240B250C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2400112818.000001BBD71F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388754069.000001BBD71F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2251103318.000001BBD6EFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2367756360.000001BBD6EFA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2308491115.000001BBD027B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2392667412.000001BBD22D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2330651828.000001BBD29A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364904157.000001BBD05C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2250316680.000001BBD6FD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2257160633.000001BBD0851000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2438157819.000001BBD269E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2410839989.000001BBD13C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2400917643.000001BBD7145000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2326270049.000001BBCC3CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2386592436.000001BBDA35A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2369672885.000001BBD230B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382436942.000001BBCF1BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368541138.000001BBD231E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2394590842.000001BBD13C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2364904157.000001BBD05B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2336000140.000001BBD07B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249351980.000001BBD7159000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2249351980.000001BBD711B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2371887237.000001BBD18C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2370212895.000001BBD22D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2438974781.000001BBCF1BE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2416736284.000001BBD12BE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2416736284.000001BBD12C9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2329997345.000001BBD7046000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2376399467.000001BBD7043000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245454769.000001BBD7046000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2375205011.000001BBD7046000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2401152622.000001BBD6FD4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2401152622.000001BBD6FD4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2308491115.000001BBD027B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2409684872.000001BBD2341000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2402921597.000001BBD2336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2391570824.000001BBD2336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2368541138.000001BBD2336000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2309168203.000001BBD0299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308491115.000001BBD02A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308491115.000001BBD027B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309168203.000001BBD02A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2407231463.000001BBDA799000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2388754069.000001BBD71F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2402625994.000001BBD6E1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.2400112818.000001BBD71F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388754069.000001BBD71F0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.2219957154.000001BBCEC31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000E.00000003.2220202028.000001BBCEC52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219631622.000001BBCEA00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219783921.000001BBCEC0F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2219957154.000001BBCEC31000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.2251103318.000001BBD6EFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2367756360.000001BBD6EFA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000E.00000003.2387868041.000001BBD752D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2399117175.000001BBD752D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2412065007.000001BBD7531000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2420573497.000001BBD7532000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 00000010.00000002.4039138651.000001991B2A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.4038617293.0000016F15670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.4039042359.00000240B20B0000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000E.00000003.2367567309.000001BBDA663000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://vk.com/	firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000E.00000003.2400112818.000001BBD71F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388754069.000001BBD71F0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000E.00000003.2309168203.000001BBD0299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2308491115.000001BBD027B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefox	firefox.exe, 0000000E.00000003.2419857986.000001BBDA3EF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	firefox.exe, 00000010.00000002.4039615900.000001991B4C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.4039694087.0000016F157E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.4039810960.00000240B2306000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 0000000E.00000003.2401152622.000001BBD6FD4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/search	firefox.exe, 0000000E.00000003.2246957566.000001BBD74E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248606939.000001BBD7457000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.185.238	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541813
Start date and time:	2024-10-25 07:35:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/38@74/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.13.186.250, 44.231.229.39, 34.208.54.237, 2.22.61.56, 2.22.61.59, 216.58.206.78, 172.217.18.110, 142.250.185.202, 142.250.185.138
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 404 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	Import_Declainvoice.htm	Get hash	malicious	Unknown	Browse	199.232.196.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	CalendlyApp	Get hash	malicious	Unknown	Browse	151.101.67.6
	CalendlyApp	Get hash	malicious	Unknown	Browse	151.101.131.8
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	33.175.30.229
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	51.247.216.53
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	33.219.10.156
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	33.215.156.135
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	32.248.99.75
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	57.167.41.108
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	51.22.194.116
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	33.69.246.239
ATGS-MMD-ASUS	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	33.175.30.229
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	51.247.216.53
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	33.219.10.156
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	33.215.156.135
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	32.248.99.75
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	57.167.41.108
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	51.22.194.116
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	33.69.246.239

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c718ef7e-2ca1-4383-a4c1-d816fd111324.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.17429133963255
Encrypted:	false
SSDEEP:	192:xBMXOo7cbhbVbTbfbRbObtbyEl7n0rfJA6unSrDtTkdxSoft:xibcNhnzFSJUrG1nSrDhkdxh
MD5:	B7342DD577F96C6E44B5031F74019177
SHA1:	02388C6FF5BFBBC2395413A9FC77F399E3A78548
SHA-256:	C6FAA751110B76AB224DE75CF116F86AB1C6DB7D4EC97771CDC24E2CD37C14E3
SHA-512:	771B07C9B3BB33A4C0BFEA6B2FD5B26EFE8C2B2843F9141CAC6B9FF2401B7A1A044AF261413392242E5F7AADEA1834958BA19E43463E287CC7487BDBAD8770F6
Malicious:	false
Preview:	{"type":"uninstall","id":"c718ef7e-2ca1-4383-a4c1-d816fd111324","creationDate":"2024-10-25T07:32:26.737Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c718ef7e-2ca1-4383-a4c1-d816fd111324.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7946
Entropy (8bit):	5.17429133963255
Encrypted:	false
SSDEEP:	192:xBMXOo7cbhbVbTbfbRbObtbyEl7n0rfJA6unSrDtTkdxSoft:xibcNhnzFSJUrG1nSrDhkdxh
MD5:	B7342DD577F96C6E44B5031F74019177
SHA1:	02388C6FF5BFBBC2395413A9FC77F399E3A78548
SHA-256:	C6FAA751110B76AB224DE75CF116F86AB1C6DB7D4EC97771CDC24E2CD37C14E3
SHA-512:	771B07C9B3BB33A4C0BFEA6B2FD5B26EFE8C2B2843F9141CAC6B9FF2401B7A1A044AF261413392242E5F7AADEA1834958BA19E43463E287CC7487BDBAD8770F6
Malicious:	false
Preview:	{"type":"uninstall","id":"c718ef7e-2ca1-4383-a4c1-d816fd111324","creationDate":"2024-10-25T07:32:26.737Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"7340e351-fad3-4a0f-b554-971fbfafe8fb","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3129400462515743
Encrypted:	false
SSDEEP:	24:lbdf1Z6iAZTIUx2dWoM15WLN8zmAbdf1Z6iAZswM+bpoqdWoM15WLFX1RgmubdfR:JdG+UgdwDzjdGe6BdwFhdGeadwH1
MD5:	1885BBF8FF929740672B441A8BA593B0
SHA1:	AF6656CA87137C76CEE55E38CFC5D9DF80E1859F
SHA-256:	AD4D4A949920732AC0B9624004B4FE5E0789DCB7A471760258E1861BDB315DCC
SHA-512:	3467517F26D639EECC6DE3A28C61DE866449B2D9F85532D7AB5BC0D0E3763162C24728FE8C5AEC7D173C0855A79310F4B4E9EDC34A883F6C05A3E09890B7899E
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........8g.&..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IYY.,....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WYY.,............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WYY.,..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z....................C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3129400462515743
Encrypted:	false
SSDEEP:	24:lbdf1Z6iAZTIUx2dWoM15WLN8zmAbdf1Z6iAZswM+bpoqdWoM15WLFX1RgmubdfR:JdG+UgdwDzjdGe6BdwFhdGeadwH1
MD5:	1885BBF8FF929740672B441A8BA593B0
SHA1:	AF6656CA87137C76CEE55E38CFC5D9DF80E1859F
SHA-256:	AD4D4A949920732AC0B9624004B4FE5E0789DCB7A471760258E1861BDB315DCC
SHA-512:	3467517F26D639EECC6DE3A28C61DE866449B2D9F85532D7AB5BC0D0E3763162C24728FE8C5AEC7D173C0855A79310F4B4E9EDC34A883F6C05A3E09890B7899E
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........8g.&..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IYY.,....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WYY.,............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WYY.,..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z....................C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\99F7SNUZHKUULQH09V4S.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	modified
Size (bytes):	5488
Entropy (8bit):	3.3129400462515743
Encrypted:	false
SSDEEP:	24:lbdf1Z6iAZTIUx2dWoM15WLN8zmAbdf1Z6iAZswM+bpoqdWoM15WLFX1RgmubdfR:JdG+UgdwDzjdGe6BdwFhdGeadwH1
MD5:	1885BBF8FF929740672B441A8BA593B0
SHA1:	AF6656CA87137C76CEE55E38CFC5D9DF80E1859F
SHA-256:	AD4D4A949920732AC0B9624004B4FE5E0789DCB7A471760258E1861BDB315DCC
SHA-512:	3467517F26D639EECC6DE3A28C61DE866449B2D9F85532D7AB5BC0D0E3763162C24728FE8C5AEC7D173C0855A79310F4B4E9EDC34A883F6C05A3E09890B7899E
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........8g.&..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IYY.,....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WYY.,............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WYY.,..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z....................C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YUBLRWGSKZZD2VKECLE7.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3129400462515743
Encrypted:	false
SSDEEP:	24:lbdf1Z6iAZTIUx2dWoM15WLN8zmAbdf1Z6iAZswM+bpoqdWoM15WLFX1RgmubdfR:JdG+UgdwDzjdGe6BdwFhdGeadwH1
MD5:	1885BBF8FF929740672B441A8BA593B0
SHA1:	AF6656CA87137C76CEE55E38CFC5D9DF80E1859F
SHA-256:	AD4D4A949920732AC0B9624004B4FE5E0789DCB7A471760258E1861BDB315DCC
SHA-512:	3467517F26D639EECC6DE3A28C61DE866449B2D9F85532D7AB5BC0D0E3763162C24728FE8C5AEC7D173C0855A79310F4B4E9EDC34A883F6C05A3E09890B7899E
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........8g.&..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IYY.,....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WYY.,............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WYY.,..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z....................C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.933161440985191
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsL9p8P:gXiNFS+OcUGOdwiOdwBjkYL9p8P
MD5:	BC1D1A2E657EDCBA963488BA51E34140
SHA1:	6D7DAFDB58FF617FF4123464242D62E784EBB8F4
SHA-256:	B4893FD8253BD5108EE02988D9FB4675C37675189EE12C90F1447AC5BA8718FB
SHA-512:	4CFC53B28A30B8B378872D3988FE80B915B6291BCFF2C82EB076A0E72BDED38FAA943E9E09C5C83BFE2A253C7E071480E27AAADF34D8EEC36366AE2BFB133A2A
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4419
Entropy (8bit):	4.933161440985191
Encrypted:	false
SSDEEP:	96:gXiNFS+OcPUFEOdwNIOdwBjvYVbsL9p8P:gXiNFS+OcUGOdwiOdwBjkYL9p8P
MD5:	BC1D1A2E657EDCBA963488BA51E34140
SHA1:	6D7DAFDB58FF617FF4123464242D62E784EBB8F4
SHA-256:	B4893FD8253BD5108EE02988D9FB4675C37675189EE12C90F1447AC5BA8718FB
SHA-512:	4CFC53B28A30B8B378872D3988FE80B915B6291BCFF2C82EB076A0E72BDED38FAA943E9E09C5C83BFE2A253C7E071480E27AAADF34D8EEC36366AE2BFB133A2A
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"enableBookmarksToolbar":"always"},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"d48f64a8-a4ab-4cdd-a650-4b386e41a201","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T06:20:35.557Z","featureIds":["bookmarks"],"prefs":[{"name":"browser.toolbars.bookmarks.visibility","branch":"user","featureId":"bookmarks","variable":"enableBookmarksToolbar","originalValue":null}],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185052013683835
Encrypted:	false
SSDEEP:	768:AI4wvfCXh496G4C4U1W4z4xuHhvp4N4Tc4Z4S4t24U:AruBv3
MD5:	10E2D85FEF0DB266E519048D63617FA8
SHA1:	EBB307C44EBEFFA271AC58FDDE5C3A1BA52AE7B0
SHA-256:	92143A48F55639B5BD01385D0E4E78EDED4F84401A91C12AC06251EE188CFE0E
SHA-512:	164CBE725B44020AD40D165A1B1C242A7016ED8933AB9502D0D38E6CD99887D9DF49533DE54068AA4E5D8476C7791B52518A8477B8961475B7CB2C3AF54B81B1
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{87ef1fa3-cb84-4bbf-a615-45a1d14b629d}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07329687659153096
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiUf:DLhesh7Owd4+ji+
MD5:	46E43292A016EA8F6B504A50480E822A
SHA1:	2D22F7850D0D6C33E7BB32A12760189A8FDBF555
SHA-256:	D78AFB7E7B77E5A4163B599CD42DD89ECAC70B7A9045BCE09EF211EDB4826B70
SHA-512:	D91F40740F94DC3F2011591F545C73039635123A2F93210A8814FB96464E2D193681A9ABC64CBEACC116A2C6A62EF56CF8AFF388CC493AD235726D0B610EAB74
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039461165957280435
Encrypted:	false
SSDEEP:	3:GHlhVYXDpoc5mIua/HlhVYXDpoc5mIusl8a9//Ylll4llqlyllel4lt:G7VYl9Zuq7VYl9ZuEL9XIwlio
MD5:	990D026FE9041F8FCBCACF96F61D4B8A
SHA1:	912F90018AA05A996C0685C58C7717EDF1F4FFA5
SHA-256:	2F27979AAF63CBB8D95D65CA6A5A4F9DA526ED16B89B2E5DFE5562C4362CFFA2
SHA-512:	4A944076A05AE56A89EB7E47CA6270D31222F4CD545E720D596E7638C9005ABBC9931A52F30C00E0373749206351F5242138142741840F8571BBE6C18B11E99A
Malicious:	false
Preview:	..-.....................5..f.J......Z.....~.#a..-.....................5..f.J......Z.....~.#a........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.09537134532904717
Encrypted:	false
SSDEEP:	24:K23uw7RULxs9YCEUt5xsMldCCQE/TSKCrsCs81xsayG34gmwlTba2iEg:N3ukRAscUtzJKDC8XVyG34UpW
MD5:	AE87E90FBEC8C3D2448FA2BFDD1489D9
SHA1:	FDAD71B60B3B6C6A6C0E573BCE8D4976BDF037DB
SHA-256:	05466DD5A1EC8FB001AEAF4932C3B50F6BDBCA459F2819D1AA3393DFE4A4BDBE
SHA-512:	B43E84025D3469FA81CCF5556A311D7EC837A3098F6D72996DF94FED7E2307235C21777A1104C3845D9B5681C689A54785D1A6F6086A8B4159FD351E5BDBB427
Malicious:	false
Preview:	7....-..............Z....+.G.X............Z....j.k..Z................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.467005622962881
Encrypted:	false
SSDEEP:	192:1nTFTRRUYbBp6aLZNMGaXf6qU4Epzy+/3/7NU5RYiNBw8d0Sl:1KefFNMWLVyCedwL0
MD5:	66FC66CF1CA2AD5AD9D04FFC758565CC
SHA1:	D90E64C0C6465F088C35260FD7C3DE5AC789562A
SHA-256:	5E6B2D231A0981EA11E10E5077480051EE928886151C6CD499A46DD05A3F6EF6
SHA-512:	B07C67BE09E904FE1B9159ED9A425263DFFABEBB467E13D876A488761B411E455D5DCD832BA86DAD5AAF71F4E3AA38BA7B1856C2C94DD70CCDF22C5D91FC6094
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729841517);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729841517);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729841517);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172984

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	14081
Entropy (8bit):	5.467005622962881
Encrypted:	false
SSDEEP:	192:1nTFTRRUYbBp6aLZNMGaXf6qU4Epzy+/3/7NU5RYiNBw8d0Sl:1KefFNMWLVyCedwL0
MD5:	66FC66CF1CA2AD5AD9D04FFC758565CC
SHA1:	D90E64C0C6465F088C35260FD7C3DE5AC789562A
SHA-256:	5E6B2D231A0981EA11E10E5077480051EE928886151C6CD499A46DD05A3F6EF6
SHA-512:	B07C67BE09E904FE1B9159ED9A425263DFFABEBB467E13D876A488761B411E455D5DCD832BA86DAD5AAF71F4E3AA38BA7B1856C2C94DD70CCDF22C5D91FC6094
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729841517);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729841517);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729841517);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172984

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.339927107789074
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqLXnIggC/pnxQwRlscT5sKL0w3eHVvwKXTsamhujJmyOOxmOmaoRf:GUpOxHIanRfV3eNwCTs4JNKRh5
MD5:	4754EE980D0DDDF0F834551A5130EC81
SHA1:	E92FC66CB526E2FF28440E07494BDEABF241ADCC
SHA-256:	B1B28696D367C6A0CE6B0AE195844E0C88E501EFC671ED637B54080384EB8B47
SHA-512:	505F047695FF25370157207436C580FF235BF45298B85CE2DBB7CEC5E01AFDB425E666DF4E48FF6C4BB01DE618F135AAB738B5C67CD1CD1C6411EB127C894AA8
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{73a277bc-7579-4f58-a02c-08512d6c0655}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729841522074,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..`486553...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry..@4921..xoriginA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.339927107789074
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqLXnIggC/pnxQwRlscT5sKL0w3eHVvwKXTsamhujJmyOOxmOmaoRf:GUpOxHIanRfV3eNwCTs4JNKRh5
MD5:	4754EE980D0DDDF0F834551A5130EC81
SHA1:	E92FC66CB526E2FF28440E07494BDEABF241ADCC
SHA-256:	B1B28696D367C6A0CE6B0AE195844E0C88E501EFC671ED637B54080384EB8B47
SHA-512:	505F047695FF25370157207436C580FF235BF45298B85CE2DBB7CEC5E01AFDB425E666DF4E48FF6C4BB01DE618F135AAB738B5C67CD1CD1C6411EB127C894AA8
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{73a277bc-7579-4f58-a02c-08512d6c0655}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729841522074,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..`486553...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry..@4921..xoriginA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.339927107789074
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSqLXnIggC/pnxQwRlscT5sKL0w3eHVvwKXTsamhujJmyOOxmOmaoRf:GUpOxHIanRfV3eNwCTs4JNKRh5
MD5:	4754EE980D0DDDF0F834551A5130EC81
SHA1:	E92FC66CB526E2FF28440E07494BDEABF241ADCC
SHA-256:	B1B28696D367C6A0CE6B0AE195844E0C88E501EFC671ED637B54080384EB8B47
SHA-512:	505F047695FF25370157207436C580FF235BF45298B85CE2DBB7CEC5E01AFDB425E666DF4E48FF6C4BB01DE618F135AAB738B5C67CD1CD1C6411EB127C894AA8
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{73a277bc-7579-4f58-a02c-08512d6c0655}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1729841522074,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...46f3a197-db49-410a-81b3-94975c835573","zD..1...Wm..l........j..:....1":{..jUpdate...5,"startTim..`486553...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abfc0b67c202aaf415a5b7a51708a5c3270bb6f2f7664428a48797f00afbef6fc","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry..@4921..xoriginA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009073713588845
Encrypted:	false
SSDEEP:	48:YrSAYeYHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycLCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	CC8E8B7EB0290198E328179B8976C45E
SHA1:	FEC538F48CCF35C1F0274C678ED0CEE1AF1056BA
SHA-256:	8334E21BAC7390F8270A999B3C591B9F2C0AB3D0BABDEDB3C7ADE9216940943D
SHA-512:	7D97206278EE4666414B1A128D3E0CBE6D177B4234F8F45ACD4A058819E7F4A4E1A4B9ECA5AAB0426400CA9A9C36FCE34B2E0C662AFF569453922C864AA4A121
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T07:31:43.325Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.009073713588845
Encrypted:	false
SSDEEP:	48:YrSAYeYHqUQZpExB1+anOdW6VhOGVpWJzzcsYMsku7f86SLAVL775FtsfAcbyJF4:ycLCTEr5NfJzzcBvbw6Kkvrc2Rn27
MD5:	CC8E8B7EB0290198E328179B8976C45E
SHA1:	FEC538F48CCF35C1F0274C678ED0CEE1AF1056BA
SHA-256:	8334E21BAC7390F8270A999B3C591B9F2C0AB3D0BABDEDB3C7ADE9216940943D
SHA-512:	7D97206278EE4666414B1A128D3E0CBE6D177B4234F8F45ACD4A058819E7F4A4E1A4B9ECA5AAB0426400CA9A9C36FCE34B2E0C662AFF569453922C864AA4A121
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-25T07:31:43.325Z","profileAgeCreated":1696486829272,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584695548584188
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	8412121d3d892e5ca7128d1173835c1b
SHA1:	69398fa874fe2ea465313f1bda84d9d7ae6c0fe4
SHA256:	3a4db3a0fc3ba4562ae011a747d31937479db2838cc8c5c99c9e799bd2a4a0a4
SHA512:	7690ea8d945dcc6339a36c1f52c3d0d706b4fcd1d34215d20ac4d74d537eec0df711f3ecebb87cc5ecc13377235fd9c9c2b3c45541dd44de246b319aa32bbdc7
SSDEEP:	12288:eqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tk:eqDEvCTbMWu7rQYlBQcBiT6rprG8abk
TLSH:	A1159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671B2990 [Fri Oct 25 05:16:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F7E08E3FBC3h
jmp 00007F7E08E3F4CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7E08E3F6ADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7E08E3F67Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F7E08E4226Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F7E08E422B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F7E08E422A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	6c80c11cd312e370201cb015d0c58f51	False	0.3156398338607595	data	5.37373846254327	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 07:36:31.502834082 CEST	49726	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:31.502918959 CEST	443	49726	35.190.72.216	192.168.2.6
Oct 25, 2024 07:36:31.505395889 CEST	49727	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:31.506530046 CEST	49726	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:31.511006117 CEST	80	49727	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:31.515953064 CEST	49726	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:31.516033888 CEST	443	49726	35.190.72.216	192.168.2.6
Oct 25, 2024 07:36:31.526748896 CEST	49727	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:31.528311968 CEST	49727	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:31.533766985 CEST	80	49727	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:31.535722017 CEST	49729	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:31.535768986 CEST	443	49729	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:31.547297955 CEST	49729	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:31.579305887 CEST	49729	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:31.579333067 CEST	443	49729	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.029372931 CEST	49731	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.029412031 CEST	443	49731	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.034226894 CEST	49731	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.035737038 CEST	49731	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.035752058 CEST	443	49731	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.130609989 CEST	80	49727	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:32.145689011 CEST	443	49726	35.190.72.216	192.168.2.6
Oct 25, 2024 07:36:32.145776987 CEST	49726	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:32.155601978 CEST	49726	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:32.155622005 CEST	443	49726	35.190.72.216	192.168.2.6
Oct 25, 2024 07:36:32.155780077 CEST	49726	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:32.155855894 CEST	443	49726	35.190.72.216	192.168.2.6
Oct 25, 2024 07:36:32.156291008 CEST	49726	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:32.156336069 CEST	49732	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:32.156419992 CEST	443	49732	35.190.72.216	192.168.2.6
Oct 25, 2024 07:36:32.156524897 CEST	49732	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:32.157985926 CEST	49732	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:32.158021927 CEST	443	49732	35.190.72.216	192.168.2.6
Oct 25, 2024 07:36:32.257972002 CEST	49727	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:32.437338114 CEST	443	49729	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.437356949 CEST	443	49729	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.438349009 CEST	443	49729	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.442325115 CEST	49729	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.442347050 CEST	443	49729	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.448945999 CEST	49729	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.448964119 CEST	443	49729	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.449055910 CEST	49729	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.449232101 CEST	443	49729	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.449312925 CEST	49729	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.460118055 CEST	49733	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:32.460201025 CEST	443	49733	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:32.460823059 CEST	49733	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:32.462193966 CEST	49733	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:32.462243080 CEST	443	49733	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:32.793109894 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:32.798609018 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:32.801502943 CEST	443	49732	35.190.72.216	192.168.2.6
Oct 25, 2024 07:36:32.806555986 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:32.806595087 CEST	49732	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:32.809154034 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:32.811144114 CEST	49732	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:32.811144114 CEST	49732	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:32.811203003 CEST	443	49732	35.190.72.216	192.168.2.6
Oct 25, 2024 07:36:32.811774015 CEST	443	49732	35.190.72.216	192.168.2.6
Oct 25, 2024 07:36:32.812809944 CEST	49732	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:32.813431025 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:32.813514948 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:32.813860893 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:32.814537048 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:32.815213919 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:32.815251112 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:32.816119909 CEST	49736	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:32.816174030 CEST	443	49736	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:32.821227074 CEST	49736	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:32.821343899 CEST	49736	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:32.821374893 CEST	443	49736	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:32.825779915 CEST	49737	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:32.825820923 CEST	443	49737	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:32.826431990 CEST	49737	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:32.826566935 CEST	49737	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:32.826577902 CEST	443	49737	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:32.885576010 CEST	443	49731	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.886353970 CEST	49731	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.888191938 CEST	443	49731	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.888325930 CEST	49731	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.891180038 CEST	49731	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.891185999 CEST	443	49731	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.891336918 CEST	49731	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.891853094 CEST	49738	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.891885042 CEST	443	49731	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.891936064 CEST	443	49738	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.892030001 CEST	49738	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.892111063 CEST	49731	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.893420935 CEST	49738	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:32.893482924 CEST	443	49738	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:32.973011971 CEST	49727	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:32.978458881 CEST	80	49727	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:33.079030037 CEST	443	49733	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.083367109 CEST	443	49733	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.091767073 CEST	49733	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.097767115 CEST	49733	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.097830057 CEST	443	49733	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.097887039 CEST	49733	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.098202944 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.098206997 CEST	443	49733	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.098298073 CEST	443	49739	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.098429918 CEST	49733	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.098921061 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.099575996 CEST	80	49727	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:33.100296974 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.100318909 CEST	443	49739	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.160705090 CEST	49727	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:33.262742043 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:33.282668114 CEST	80	49734	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:33.284507036 CEST	49734	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:33.436047077 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.436517954 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.442060947 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.442086935 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.442147970 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.442399025 CEST	443	49735	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.442506075 CEST	49735	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.446024895 CEST	443	49737	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:33.446106911 CEST	49737	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:33.449292898 CEST	49737	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:33.449301004 CEST	443	49737	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:33.449693918 CEST	443	49737	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:33.451632977 CEST	49740	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:33.453999043 CEST	49737	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:33.454123020 CEST	49737	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:33.454170942 CEST	443	49737	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:33.454461098 CEST	49741	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:33.454504013 CEST	49737	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:33.454504013 CEST	49737	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:33.454544067 CEST	443	49741	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:33.455852985 CEST	443	49736	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:33.455970049 CEST	49741	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:33.455979109 CEST	49736	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:33.457010984 CEST	80	49740	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:33.458817959 CEST	49736	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:33.458848000 CEST	443	49736	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:33.458954096 CEST	49741	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:33.458991051 CEST	443	49741	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:33.459296942 CEST	443	49736	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:33.460602045 CEST	49740	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:33.460750103 CEST	49740	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:33.463107109 CEST	49736	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:33.463191986 CEST	49736	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:33.463670015 CEST	443	49736	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:33.464061975 CEST	49736	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:33.466097116 CEST	80	49740	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:33.533397913 CEST	49727	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:33.539268970 CEST	80	49727	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:33.539741039 CEST	49727	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:33.686877012 CEST	49743	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.686959982 CEST	443	49743	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.688256979 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:33.689110041 CEST	49743	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.690614939 CEST	49743	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.690685034 CEST	443	49743	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.693798065 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:33.694544077 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:33.694906950 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:33.700345993 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:33.709434032 CEST	443	49739	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.709634066 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.714571953 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.714624882 CEST	443	49739	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.714677095 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.714873075 CEST	443	49739	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:33.715142012 CEST	49739	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:33.746249914 CEST	443	49738	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:33.746337891 CEST	49738	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:33.748766899 CEST	443	49738	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:33.748851061 CEST	49738	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:33.752404928 CEST	49738	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:33.752404928 CEST	49738	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:33.752464056 CEST	443	49738	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:33.752825022 CEST	443	49738	142.250.185.238	192.168.2.6
Oct 25, 2024 07:36:33.753035069 CEST	49738	443	192.168.2.6	142.250.185.238
Oct 25, 2024 07:36:34.056672096 CEST	80	49740	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:34.058341026 CEST	49740	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:34.063837051 CEST	80	49740	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:34.067130089 CEST	49740	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:34.105103016 CEST	443	49741	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:34.115381956 CEST	443	49741	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:34.118288040 CEST	49741	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:34.129705906 CEST	49741	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:34.129761934 CEST	443	49741	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:34.130739927 CEST	443	49741	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:34.135010958 CEST	49741	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:34.135010958 CEST	49741	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:34.135541916 CEST	443	49741	34.160.144.191	192.168.2.6
Oct 25, 2024 07:36:34.138526917 CEST	49741	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:34.138571978 CEST	49741	443	192.168.2.6	34.160.144.191
Oct 25, 2024 07:36:34.402648926 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:34.412017107 CEST	443	49743	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:34.421354055 CEST	49743	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:34.438718081 CEST	49743	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:34.438718081 CEST	49743	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:34.438828945 CEST	443	49743	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:34.439095974 CEST	49745	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:34.439157963 CEST	443	49743	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:34.439188004 CEST	443	49745	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:34.441349983 CEST	49743	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:34.441389084 CEST	49745	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:34.447638035 CEST	49745	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:34.447710991 CEST	443	49745	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:34.461747885 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:34.706954956 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:34.712385893 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:34.716334105 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:34.716334105 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:34.721719980 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:34.770469904 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:34.956155062 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:35.074409962 CEST	443	49745	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:35.082004070 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:35.083373070 CEST	443	49745	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:35.089001894 CEST	49745	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:35.092613935 CEST	49745	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:35.092668056 CEST	443	49745	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:35.092725992 CEST	49745	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:35.093209982 CEST	443	49745	34.117.188.166	192.168.2.6
Oct 25, 2024 07:36:35.094562054 CEST	49745	443	192.168.2.6	34.117.188.166
Oct 25, 2024 07:36:35.142225027 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:35.310729980 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:35.358481884 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:38.252248049 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:38.253010988 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:38.257704973 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:38.258377075 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:38.376735926 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:38.384017944 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:38.431664944 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:38.431700945 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:42.778290987 CEST	49753	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:42.778333902 CEST	443	49753	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:42.778436899 CEST	49753	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:42.778595924 CEST	49753	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:42.778608084 CEST	443	49753	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:42.825305939 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:42.830848932 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:42.835073948 CEST	62164	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:42.835158110 CEST	443	62164	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:42.835410118 CEST	62164	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:42.857391119 CEST	62164	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:42.857466936 CEST	443	62164	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:42.950103998 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:43.003032923 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:43.128005028 CEST	62165	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:43.128087997 CEST	443	62165	34.107.243.93	192.168.2.6
Oct 25, 2024 07:36:43.129113913 CEST	62165	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:43.130456924 CEST	62165	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:43.130537033 CEST	443	62165	34.107.243.93	192.168.2.6
Oct 25, 2024 07:36:43.379417896 CEST	443	49753	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:43.379513979 CEST	49753	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:43.382414103 CEST	49753	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:43.382422924 CEST	443	49753	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:43.382738113 CEST	443	49753	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:43.385194063 CEST	49753	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:43.385266066 CEST	49753	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:43.385451078 CEST	443	49753	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:43.388673067 CEST	49753	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:43.470516920 CEST	443	62164	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:43.470765114 CEST	62164	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:43.475359917 CEST	62164	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:43.475395918 CEST	443	62164	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:43.475446939 CEST	62164	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:43.475783110 CEST	443	62164	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:43.484347105 CEST	62164	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:43.963834047 CEST	443	62165	34.107.243.93	192.168.2.6
Oct 25, 2024 07:36:43.964107037 CEST	62165	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:43.971111059 CEST	62165	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:43.971111059 CEST	62165	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:43.971168995 CEST	443	62165	34.107.243.93	192.168.2.6
Oct 25, 2024 07:36:43.971569061 CEST	443	62165	34.107.243.93	192.168.2.6
Oct 25, 2024 07:36:43.971796989 CEST	62165	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:45.063610077 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:45.069346905 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:45.078253031 CEST	62166	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:45.078340054 CEST	443	62166	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:45.079665899 CEST	62166	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:45.091767073 CEST	62166	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:45.091845036 CEST	443	62166	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:45.197304010 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:45.244626999 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:45.395653963 CEST	62167	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:45.395714998 CEST	443	62167	34.149.100.209	192.168.2.6
Oct 25, 2024 07:36:45.395915031 CEST	62167	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:45.397367001 CEST	62167	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:45.397402048 CEST	443	62167	34.149.100.209	192.168.2.6
Oct 25, 2024 07:36:45.452605009 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:45.458019018 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:45.577331066 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:45.630286932 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:45.699481010 CEST	443	62166	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:45.699697971 CEST	62166	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:45.708458900 CEST	62166	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:45.708519936 CEST	443	62166	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:45.708580971 CEST	62166	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:45.708820105 CEST	443	62166	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:45.709044933 CEST	62166	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:45.817640066 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:45.819243908 CEST	62168	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:45.819287062 CEST	443	62168	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:45.819981098 CEST	62168	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:45.821333885 CEST	62168	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:45.821367025 CEST	443	62168	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:45.823287010 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:45.950527906 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:45.953999996 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:45.961055040 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:45.993526936 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:46.015693903 CEST	443	62167	34.149.100.209	192.168.2.6
Oct 25, 2024 07:36:46.016081095 CEST	62167	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:46.021313906 CEST	62167	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:46.021403074 CEST	443	62167	34.149.100.209	192.168.2.6
Oct 25, 2024 07:36:46.021462917 CEST	62167	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:46.021640062 CEST	443	62167	34.149.100.209	192.168.2.6
Oct 25, 2024 07:36:46.021797895 CEST	62169	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:46.021846056 CEST	443	62169	34.149.100.209	192.168.2.6
Oct 25, 2024 07:36:46.027271032 CEST	62167	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:46.027287006 CEST	62169	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:46.028825045 CEST	62169	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:46.028862953 CEST	443	62169	34.149.100.209	192.168.2.6
Oct 25, 2024 07:36:46.080600977 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:46.131591082 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:46.668951035 CEST	443	62168	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:46.669060946 CEST	62168	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:46.674088001 CEST	443	62169	34.149.100.209	192.168.2.6
Oct 25, 2024 07:36:46.674320936 CEST	62169	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:47.153692007 CEST	62168	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:47.153714895 CEST	443	62168	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:47.153769016 CEST	62168	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:47.153989077 CEST	443	62168	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:47.154490948 CEST	62168	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:47.156025887 CEST	62169	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:47.156025887 CEST	62169	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:47.156109095 CEST	443	62169	34.149.100.209	192.168.2.6
Oct 25, 2024 07:36:47.156671047 CEST	443	62169	34.149.100.209	192.168.2.6
Oct 25, 2024 07:36:47.157608986 CEST	62169	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:47.203176022 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:47.208803892 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:47.334698915 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:47.382148981 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:48.221901894 CEST	62171	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:48.221941948 CEST	443	62171	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:48.222126007 CEST	62171	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:48.222414970 CEST	62171	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:48.222445965 CEST	443	62171	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:48.224140882 CEST	62172	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:48.224226952 CEST	443	62172	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:48.224859953 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:48.227915049 CEST	62172	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:48.228029013 CEST	62172	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:48.228058100 CEST	443	62172	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:48.230238914 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:48.236601114 CEST	62173	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:48.236633062 CEST	443	62173	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:48.237782001 CEST	62173	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:48.239305973 CEST	62173	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:48.239326000 CEST	443	62173	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:48.349488020 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:48.400597095 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:48.822873116 CEST	443	62171	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:48.823959112 CEST	62171	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:48.841389894 CEST	443	62172	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:48.841559887 CEST	62172	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:48.861257076 CEST	443	62173	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:48.861327887 CEST	62173	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.490417957 CEST	62171	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.490447998 CEST	443	62171	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:49.490834951 CEST	443	62171	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:49.492825985 CEST	62172	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.492903948 CEST	443	62172	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:49.493940115 CEST	443	62172	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:49.497981071 CEST	62171	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.498075008 CEST	62171	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.498186111 CEST	443	62171	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:49.499677896 CEST	62172	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.499677896 CEST	62172	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.500334024 CEST	443	62172	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:49.502171040 CEST	62173	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.502171993 CEST	62173	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.502203941 CEST	443	62173	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:49.502835035 CEST	443	62173	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:49.503328085 CEST	443	62171	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:49.503783941 CEST	62171	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.503814936 CEST	62171	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.503815889 CEST	62172	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.503882885 CEST	62172	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.511735916 CEST	62173	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:49.511754990 CEST	62171	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:50.014157057 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:50.020920992 CEST	62174	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:50.021007061 CEST	443	62174	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:50.022099018 CEST	62174	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:50.023355007 CEST	62174	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:50.023422003 CEST	443	62174	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:50.025321007 CEST	62175	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:50.025377035 CEST	443	62175	34.107.243.93	192.168.2.6
Oct 25, 2024 07:36:50.027358055 CEST	62175	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:50.029162884 CEST	62175	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:50.029241085 CEST	443	62175	34.107.243.93	192.168.2.6
Oct 25, 2024 07:36:50.328246117 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:50.845544100 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:50.845709085 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:50.970372915 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:50.974462032 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:50.980010033 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:51.030333042 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:51.099127054 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:51.146128893 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:51.478288889 CEST	443	62174	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:51.478518009 CEST	62174	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:51.483078003 CEST	62174	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:51.483133078 CEST	443	62174	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:51.483191013 CEST	62174	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:51.483355045 CEST	443	62174	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:51.483577967 CEST	62174	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:51.486556053 CEST	443	62175	34.107.243.93	192.168.2.6
Oct 25, 2024 07:36:51.486651897 CEST	62175	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:51.491063118 CEST	62175	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:51.491089106 CEST	443	62175	34.107.243.93	192.168.2.6
Oct 25, 2024 07:36:51.491142988 CEST	62175	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:51.491763115 CEST	443	62175	34.107.243.93	192.168.2.6
Oct 25, 2024 07:36:51.491971970 CEST	62175	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:36:52.000735998 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:52.002419949 CEST	62176	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:52.002464056 CEST	443	62176	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:52.002819061 CEST	62176	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:52.004199028 CEST	62176	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:52.004237890 CEST	443	62176	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:52.006234884 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:52.132255077 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:52.180365086 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:52.335489035 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:52.340863943 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:52.460462093 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:52.512442112 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:52.609452009 CEST	443	62176	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:52.609536886 CEST	62176	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:52.614034891 CEST	62176	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:52.614048004 CEST	443	62176	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:52.614135027 CEST	62176	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:52.614178896 CEST	443	62176	34.120.208.123	192.168.2.6
Oct 25, 2024 07:36:52.614268064 CEST	62176	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:36:52.618760109 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:52.624296904 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:52.750611067 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:52.753952980 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:52.759397984 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:52.797696114 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:52.878829002 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:36:52.935709953 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:36:59.540875912 CEST	62177	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:59.540921926 CEST	443	62177	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:59.541702032 CEST	62177	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:59.541800976 CEST	62177	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:36:59.541809082 CEST	443	62177	35.244.181.201	192.168.2.6
Oct 25, 2024 07:36:59.543956995 CEST	62178	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:59.544001102 CEST	443	62178	34.149.100.209	192.168.2.6
Oct 25, 2024 07:36:59.544181108 CEST	62178	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:59.544305086 CEST	62178	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:36:59.544312000 CEST	443	62178	34.149.100.209	192.168.2.6
Oct 25, 2024 07:36:59.546835899 CEST	62179	443	192.168.2.6	151.101.1.91
Oct 25, 2024 07:36:59.546849012 CEST	443	62179	151.101.1.91	192.168.2.6
Oct 25, 2024 07:36:59.547198057 CEST	62179	443	192.168.2.6	151.101.1.91
Oct 25, 2024 07:36:59.547472954 CEST	62179	443	192.168.2.6	151.101.1.91
Oct 25, 2024 07:36:59.547489882 CEST	443	62179	151.101.1.91	192.168.2.6
Oct 25, 2024 07:36:59.573487997 CEST	62180	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:59.573579073 CEST	443	62180	35.190.72.216	192.168.2.6
Oct 25, 2024 07:36:59.574537992 CEST	62180	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:59.576052904 CEST	62180	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:36:59.576090097 CEST	443	62180	35.190.72.216	192.168.2.6
Oct 25, 2024 07:36:59.602884054 CEST	62181	443	192.168.2.6	35.201.103.21
Oct 25, 2024 07:36:59.602917910 CEST	443	62181	35.201.103.21	192.168.2.6
Oct 25, 2024 07:36:59.603377104 CEST	62181	443	192.168.2.6	35.201.103.21
Oct 25, 2024 07:36:59.604809999 CEST	62181	443	192.168.2.6	35.201.103.21
Oct 25, 2024 07:36:59.604826927 CEST	443	62181	35.201.103.21	192.168.2.6
Oct 25, 2024 07:37:00.143942118 CEST	443	62177	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.144025087 CEST	62177	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.147170067 CEST	62177	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.147178888 CEST	443	62177	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.147391081 CEST	443	62177	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.149244070 CEST	62177	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.149244070 CEST	62177	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.149378061 CEST	443	62177	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.149970055 CEST	62177	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.153486013 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:00.155901909 CEST	443	62179	151.101.1.91	192.168.2.6
Oct 25, 2024 07:37:00.155993938 CEST	62179	443	192.168.2.6	151.101.1.91
Oct 25, 2024 07:37:00.158653021 CEST	443	62178	34.149.100.209	192.168.2.6
Oct 25, 2024 07:37:00.158759117 CEST	62178	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.158793926 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:00.158957005 CEST	62179	443	192.168.2.6	151.101.1.91
Oct 25, 2024 07:37:00.158970118 CEST	443	62179	151.101.1.91	192.168.2.6
Oct 25, 2024 07:37:00.159384966 CEST	443	62179	151.101.1.91	192.168.2.6
Oct 25, 2024 07:37:00.161359072 CEST	62178	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.161375046 CEST	443	62178	34.149.100.209	192.168.2.6
Oct 25, 2024 07:37:00.161797047 CEST	443	62178	34.149.100.209	192.168.2.6
Oct 25, 2024 07:37:00.164290905 CEST	62179	443	192.168.2.6	151.101.1.91
Oct 25, 2024 07:37:00.164400101 CEST	62179	443	192.168.2.6	151.101.1.91
Oct 25, 2024 07:37:00.164462090 CEST	62178	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.164503098 CEST	443	62179	151.101.1.91	192.168.2.6
Oct 25, 2024 07:37:00.164531946 CEST	62178	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.164622068 CEST	443	62178	34.149.100.209	192.168.2.6
Oct 25, 2024 07:37:00.164869070 CEST	62179	443	192.168.2.6	151.101.1.91
Oct 25, 2024 07:37:00.164874077 CEST	62178	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.173840046 CEST	62182	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.173861027 CEST	443	62182	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.174473047 CEST	62182	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.174614906 CEST	62182	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.174621105 CEST	443	62182	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.175093889 CEST	62183	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.175124884 CEST	443	62183	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.175791979 CEST	62184	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.175878048 CEST	443	62184	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.176244020 CEST	62183	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.176244020 CEST	62183	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.176253080 CEST	62184	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.176271915 CEST	443	62183	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.176340103 CEST	62184	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.176358938 CEST	443	62184	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.193407059 CEST	443	62180	35.190.72.216	192.168.2.6
Oct 25, 2024 07:37:00.193532944 CEST	62180	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:37:00.197205067 CEST	62180	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:37:00.197233915 CEST	443	62180	35.190.72.216	192.168.2.6
Oct 25, 2024 07:37:00.197299957 CEST	62180	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:37:00.197757959 CEST	443	62180	35.190.72.216	192.168.2.6
Oct 25, 2024 07:37:00.197849035 CEST	62180	443	192.168.2.6	35.190.72.216
Oct 25, 2024 07:37:00.227122068 CEST	443	62181	35.201.103.21	192.168.2.6
Oct 25, 2024 07:37:00.227339029 CEST	62181	443	192.168.2.6	35.201.103.21
Oct 25, 2024 07:37:00.230727911 CEST	62181	443	192.168.2.6	35.201.103.21
Oct 25, 2024 07:37:00.230736017 CEST	443	62181	35.201.103.21	192.168.2.6
Oct 25, 2024 07:37:00.230792046 CEST	62181	443	192.168.2.6	35.201.103.21
Oct 25, 2024 07:37:00.231014013 CEST	443	62181	35.201.103.21	192.168.2.6
Oct 25, 2024 07:37:00.231484890 CEST	62181	443	192.168.2.6	35.201.103.21
Oct 25, 2024 07:37:00.243468046 CEST	62185	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.243551016 CEST	443	62185	34.149.100.209	192.168.2.6
Oct 25, 2024 07:37:00.243911028 CEST	62185	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.244055033 CEST	62185	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.244082928 CEST	443	62185	34.149.100.209	192.168.2.6
Oct 25, 2024 07:37:00.284315109 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:00.287076950 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:00.292474031 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:00.335031033 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:00.411865950 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:00.457451105 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:00.780657053 CEST	443	62182	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.780885935 CEST	62182	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.783857107 CEST	62182	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.783875942 CEST	443	62182	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.784106970 CEST	443	62182	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.786793947 CEST	62182	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.786904097 CEST	443	62182	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.786914110 CEST	62182	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.786920071 CEST	443	62182	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.787224054 CEST	62182	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.791335106 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:00.796025038 CEST	443	62184	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.796164989 CEST	62184	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.796756029 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:00.798887968 CEST	62184	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.798916101 CEST	443	62184	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.799720049 CEST	443	62184	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.801035881 CEST	443	62183	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.801127911 CEST	62183	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.803272963 CEST	62183	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.803281069 CEST	443	62183	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.803633928 CEST	443	62183	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.804503918 CEST	62184	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.804578066 CEST	62184	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.804704905 CEST	443	62184	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.805246115 CEST	62184	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.806871891 CEST	62183	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.806945086 CEST	62183	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.807342052 CEST	443	62183	35.244.181.201	192.168.2.6
Oct 25, 2024 07:37:00.810718060 CEST	62183	443	192.168.2.6	35.244.181.201
Oct 25, 2024 07:37:00.886879921 CEST	443	62185	34.149.100.209	192.168.2.6
Oct 25, 2024 07:37:00.887094975 CEST	62185	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.889786005 CEST	62185	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.889816999 CEST	443	62185	34.149.100.209	192.168.2.6
Oct 25, 2024 07:37:00.890712976 CEST	443	62185	34.149.100.209	192.168.2.6
Oct 25, 2024 07:37:00.891711950 CEST	62185	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.891793013 CEST	62185	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.892014027 CEST	443	62185	34.149.100.209	192.168.2.6
Oct 25, 2024 07:37:00.893044949 CEST	62185	443	192.168.2.6	34.149.100.209
Oct 25, 2024 07:37:00.922152042 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:00.924988031 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:00.930485964 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:00.974572897 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:01.049407005 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:01.090485096 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:01.967159986 CEST	62187	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:01.967186928 CEST	443	62187	34.107.243.93	192.168.2.6
Oct 25, 2024 07:37:01.967264891 CEST	62187	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:01.968677998 CEST	62187	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:01.968688011 CEST	443	62187	34.107.243.93	192.168.2.6
Oct 25, 2024 07:37:02.613718987 CEST	443	62187	34.107.243.93	192.168.2.6
Oct 25, 2024 07:37:02.613794088 CEST	62187	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:02.618954897 CEST	62187	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:02.618959904 CEST	443	62187	34.107.243.93	192.168.2.6
Oct 25, 2024 07:37:02.619048119 CEST	62187	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:02.619096994 CEST	443	62187	34.107.243.93	192.168.2.6
Oct 25, 2024 07:37:02.619637012 CEST	62187	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:02.621598005 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:02.626985073 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:02.752800941 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:02.756128073 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:02.761639118 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:02.795406103 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:02.893122911 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:02.942569971 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:12.755434036 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:12.760938883 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:12.893522978 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:12.899100065 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:22.683644056 CEST	62190	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:22.683685064 CEST	443	62190	34.107.243.93	192.168.2.6
Oct 25, 2024 07:37:22.683993101 CEST	62190	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:22.685475111 CEST	62190	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:22.685487032 CEST	443	62190	34.107.243.93	192.168.2.6
Oct 25, 2024 07:37:22.769097090 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:22.774624109 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:22.900657892 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:22.906208038 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:23.326668024 CEST	443	62190	34.107.243.93	192.168.2.6
Oct 25, 2024 07:37:23.326751947 CEST	62190	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:23.331711054 CEST	62190	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:23.331746101 CEST	443	62190	34.107.243.93	192.168.2.6
Oct 25, 2024 07:37:23.331825972 CEST	62190	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:23.332102060 CEST	443	62190	34.107.243.93	192.168.2.6
Oct 25, 2024 07:37:23.333276033 CEST	62190	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:37:23.334691048 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:23.340109110 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:23.466275930 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:23.469629049 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:23.475143909 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:23.524538994 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:23.594465017 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:23.640448093 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:29.296437025 CEST	62191	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.296487093 CEST	443	62191	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.296816111 CEST	62192	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.296865940 CEST	443	62192	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.296973944 CEST	62193	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.297056913 CEST	62194	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.297066927 CEST	443	62194	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.297074080 CEST	443	62193	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.297204018 CEST	62195	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.297240973 CEST	443	62195	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.297286034 CEST	62196	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.297297955 CEST	443	62196	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.297653913 CEST	62192	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.297653913 CEST	62194	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.297668934 CEST	62193	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.297669888 CEST	62195	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.297694921 CEST	62196	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.297694921 CEST	62191	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.297802925 CEST	62191	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.297813892 CEST	443	62191	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.297931910 CEST	62196	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.297946930 CEST	443	62196	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.298005104 CEST	62195	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.298052073 CEST	443	62195	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.298053026 CEST	62194	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.298069000 CEST	443	62194	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.298129082 CEST	62193	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.298155069 CEST	443	62193	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.298186064 CEST	62192	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.298202991 CEST	443	62192	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.902777910 CEST	443	62191	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.902884007 CEST	62191	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.906100988 CEST	62191	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.906112909 CEST	443	62191	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.906630993 CEST	443	62191	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.907767057 CEST	443	62196	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.907879114 CEST	62196	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.910279036 CEST	62196	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.910285950 CEST	443	62196	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.910619974 CEST	443	62196	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.910913944 CEST	62191	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.910913944 CEST	62191	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.911359072 CEST	62197	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.911406040 CEST	443	62191	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.911479950 CEST	443	62197	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.911657095 CEST	443	62195	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.914062023 CEST	62196	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.914185047 CEST	62196	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.914268970 CEST	443	62196	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.914625883 CEST	62198	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.914659023 CEST	443	62198	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.914856911 CEST	62196	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.914874077 CEST	62191	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.914933920 CEST	62196	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.914933920 CEST	62198	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.914985895 CEST	62197	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.915065050 CEST	62195	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.917576075 CEST	62195	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.917607069 CEST	443	62195	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.917994022 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:29.918025017 CEST	443	62195	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.918198109 CEST	62197	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.918267965 CEST	443	62197	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.918339014 CEST	62198	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.918353081 CEST	443	62198	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.918839931 CEST	443	62194	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.920010090 CEST	62194	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.922327995 CEST	62194	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.922338963 CEST	443	62194	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.922899961 CEST	443	62194	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.923265934 CEST	62195	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.923309088 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:29.923382044 CEST	62195	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.923883915 CEST	443	62195	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.923974991 CEST	62195	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.925080061 CEST	62194	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.925175905 CEST	62194	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.925461054 CEST	443	62194	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.925841093 CEST	62194	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.928011894 CEST	443	62192	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.928092957 CEST	62192	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.930675983 CEST	62192	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.930681944 CEST	443	62192	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.931552887 CEST	443	62192	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.932586908 CEST	62192	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.932689905 CEST	62192	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.932949066 CEST	443	62192	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.933032990 CEST	62192	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.948869944 CEST	443	62193	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.949044943 CEST	62193	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.951744080 CEST	62193	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.951797009 CEST	443	62193	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.952224970 CEST	443	62193	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.953474998 CEST	62193	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.953582048 CEST	62193	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:29.953764915 CEST	443	62193	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:29.953824043 CEST	62193	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:30.049688101 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:30.057074070 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:30.062720060 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:30.105398893 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:30.181931019 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:30.243278980 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:30.522878885 CEST	443	62197	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:30.523111105 CEST	62197	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:30.525892973 CEST	62197	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:30.525947094 CEST	443	62197	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:30.526073933 CEST	443	62198	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:30.527103901 CEST	443	62197	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:30.527714014 CEST	62197	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:30.527714968 CEST	62197	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:30.528187990 CEST	443	62197	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:30.530576944 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:30.532757998 CEST	62198	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:30.532815933 CEST	62197	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:30.532816887 CEST	62197	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:30.535336971 CEST	62198	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:30.535353899 CEST	443	62198	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:30.535666943 CEST	443	62198	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:30.536016941 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:30.537159920 CEST	62198	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:30.537287951 CEST	62198	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:30.537362099 CEST	443	62198	34.120.208.123	192.168.2.6
Oct 25, 2024 07:37:30.539720058 CEST	62198	443	192.168.2.6	34.120.208.123
Oct 25, 2024 07:37:31.619019032 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:31.619103909 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:31.619126081 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:31.621620893 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:31.621620893 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:31.622313023 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:31.834301949 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:31.834384918 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:31.835217953 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:31.954886913 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:31.995456934 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:38.536349058 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:38.541706085 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:38.667704105 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:38.670913935 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:38.676376104 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:38.714657068 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:38.795711040 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:38.846276999 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:48.669651985 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:48.675358057 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:48.801292896 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:48.806828976 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:58.682729959 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:58.688338995 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:37:58.814253092 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:37:58.819883108 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:03.695633888 CEST	62201	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:38:03.695692062 CEST	443	62201	34.107.243.93	192.168.2.6
Oct 25, 2024 07:38:03.696021080 CEST	62201	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:38:03.697483063 CEST	62201	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:38:03.697511911 CEST	443	62201	34.107.243.93	192.168.2.6
Oct 25, 2024 07:38:04.302009106 CEST	443	62201	34.107.243.93	192.168.2.6
Oct 25, 2024 07:38:04.302462101 CEST	62201	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:38:04.307399035 CEST	62201	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:38:04.307437897 CEST	443	62201	34.107.243.93	192.168.2.6
Oct 25, 2024 07:38:04.307528973 CEST	62201	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:38:04.307682037 CEST	443	62201	34.107.243.93	192.168.2.6
Oct 25, 2024 07:38:04.308388948 CEST	62201	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:38:04.310388088 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:04.315771103 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:04.443300009 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:04.447072029 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:04.452749968 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:04.484061003 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:04.572144985 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:04.615844011 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:14.458883047 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:14.464312077 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:14.574798107 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:14.580432892 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:24.471808910 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:24.477595091 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:24.587766886 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:24.593539000 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:34.477519035 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:34.483077049 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:34.600069046 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:34.605751038 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:44.489746094 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:44.495204926 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:44.605767012 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:44.611320972 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:54.504050970 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:54.511441946 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:38:54.619883060 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:38:54.625360012 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:39:04.517045021 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:39:04.522624016 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:39:04.633032084 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:39:04.638546944 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:39:14.531137943 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:39:14.537337065 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:39:14.647073030 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:39:14.653352976 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:39:24.543010950 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:39:24.549034119 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:39:24.658890963 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:39:24.664591074 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:39:25.217163086 CEST	62204	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:39:25.217255116 CEST	443	62204	34.107.243.93	192.168.2.6
Oct 25, 2024 07:39:25.217366934 CEST	62204	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:39:25.218719959 CEST	62204	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:39:25.218797922 CEST	443	62204	34.107.243.93	192.168.2.6
Oct 25, 2024 07:39:25.828799963 CEST	443	62204	34.107.243.93	192.168.2.6
Oct 25, 2024 07:39:25.835335970 CEST	443	62204	34.107.243.93	192.168.2.6
Oct 25, 2024 07:39:25.837074995 CEST	62204	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:39:25.843286991 CEST	62204	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:39:25.843343973 CEST	443	62204	34.107.243.93	192.168.2.6
Oct 25, 2024 07:39:25.843616009 CEST	443	62204	34.107.243.93	192.168.2.6
Oct 25, 2024 07:39:25.846498966 CEST	62204	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:39:25.847664118 CEST	62204	443	192.168.2.6	34.107.243.93
Oct 25, 2024 07:39:25.847706079 CEST	443	62204	34.107.243.93	192.168.2.6
Oct 25, 2024 07:39:25.850940943 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:39:25.856622934 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:39:25.981827974 CEST	80	49744	34.107.221.82	192.168.2.6
Oct 25, 2024 07:39:25.986279011 CEST	49746	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:39:25.991645098 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:39:26.024867058 CEST	49744	80	192.168.2.6	34.107.221.82
Oct 25, 2024 07:39:26.110693932 CEST	80	49746	34.107.221.82	192.168.2.6
Oct 25, 2024 07:39:26.163136005 CEST	49746	80	192.168.2.6	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 07:36:31.466510057 CEST	58011	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:31.467396975 CEST	60020	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:31.473521948 CEST	53	58011	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:31.503310919 CEST	61888	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:31.511032104 CEST	53	61888	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:31.511739969 CEST	56587	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:31.519509077 CEST	53	56587	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:31.536613941 CEST	56020	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:31.537133932 CEST	60462	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:31.537554979 CEST	50245	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:31.543858051 CEST	53	56020	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:31.544881105 CEST	53	60462	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:31.545092106 CEST	53	50245	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:31.583733082 CEST	62958	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:31.590981960 CEST	53	62958	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.382744074 CEST	58432	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.383413076 CEST	54853	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.389960051 CEST	53	58432	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.390830994 CEST	53	54853	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.445369005 CEST	50803	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.453732014 CEST	53	50803	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.460688114 CEST	54880	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.468456984 CEST	53	54880	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.469017029 CEST	57414	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.476284981 CEST	53	57414	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.781069994 CEST	62684	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.788732052 CEST	50709	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.796782017 CEST	53	50709	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.813807964 CEST	65139	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.816726923 CEST	49582	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.817337036 CEST	59129	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.821432114 CEST	53	65139	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.823961973 CEST	53	49582	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.824096918 CEST	57770	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.824696064 CEST	53	59129	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.825964928 CEST	52027	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.826277971 CEST	60588	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.832057953 CEST	53	57770	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.833235979 CEST	53	52027	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.833503962 CEST	53	60588	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:32.833820105 CEST	52895	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:32.841073036 CEST	53	52895	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:34.806885004 CEST	57805	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:34.975764990 CEST	53	58639	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:38.136137962 CEST	51493	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:38.143574953 CEST	53	51493	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:38.149281979 CEST	62887	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:38.157445908 CEST	53	62887	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:38.159306049 CEST	57060	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:38.166671038 CEST	53	57060	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:38.625473022 CEST	65008	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:38.632838964 CEST	53	65008	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:38.638573885 CEST	62165	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:38.645875931 CEST	53	62165	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:38.646696091 CEST	49968	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:38.653997898 CEST	53	49968	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:42.722780943 CEST	51585	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:42.777055025 CEST	53	51585	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:42.779036045 CEST	53	53368	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:42.835624933 CEST	51383	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:42.843072891 CEST	53	51383	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:42.844984055 CEST	51604	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:42.852437973 CEST	53	51604	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:43.128673077 CEST	62726	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:43.140440941 CEST	53	62726	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:45.373419046 CEST	55747	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:45.381392956 CEST	53	55747	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:45.395803928 CEST	59305	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:45.403127909 CEST	53	59305	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:45.403913021 CEST	60902	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:45.411407948 CEST	53	60902	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:48.222394943 CEST	52087	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:48.229723930 CEST	53	52087	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:50.014801979 CEST	52546	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:50.025576115 CEST	51726	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:50.847737074 CEST	53	51726	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.330573082 CEST	54082	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.330903053 CEST	55086	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.331288099 CEST	55958	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.338124037 CEST	53	54082	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.338386059 CEST	53	55958	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.338881016 CEST	53	55086	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.338968039 CEST	51384	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.339656115 CEST	51863	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.340039015 CEST	52006	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.346285105 CEST	53	51384	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.347160101 CEST	50075	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.347166061 CEST	53	52006	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.347527027 CEST	53	51863	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.347688913 CEST	51202	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.348088980 CEST	53542	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.354770899 CEST	53	50075	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.355494022 CEST	53	51202	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.355550051 CEST	54432	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.355654001 CEST	53	53542	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.356192112 CEST	62041	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.362735033 CEST	53	54432	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.363251925 CEST	53	62041	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.364478111 CEST	51105	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.364479065 CEST	50702	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.371624947 CEST	53	50702	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.372343063 CEST	58133	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.373326063 CEST	53	51105	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.373760939 CEST	56983	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:52.380224943 CEST	53	58133	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:52.381872892 CEST	53	56983	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:59.531482935 CEST	64959	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:59.538669109 CEST	59257	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:59.538793087 CEST	53	64959	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:59.542294979 CEST	51252	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:59.546073914 CEST	53	59257	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:59.547169924 CEST	49945	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:59.549582005 CEST	53	51252	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:59.554641962 CEST	53	49945	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:59.555759907 CEST	60878	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:59.563028097 CEST	53	60878	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:59.578727961 CEST	60228	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:59.586776972 CEST	53	60228	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:59.603336096 CEST	64427	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:59.612073898 CEST	53	64427	1.1.1.1	192.168.2.6
Oct 25, 2024 07:36:59.615124941 CEST	64120	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:36:59.623163939 CEST	53	64120	1.1.1.1	192.168.2.6
Oct 25, 2024 07:37:01.966731071 CEST	58994	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:37:01.974219084 CEST	53	58994	1.1.1.1	192.168.2.6
Oct 25, 2024 07:37:01.975390911 CEST	61392	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:37:01.983284950 CEST	53	61392	1.1.1.1	192.168.2.6
Oct 25, 2024 07:37:22.674995899 CEST	64184	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:37:22.682760954 CEST	53	64184	1.1.1.1	192.168.2.6
Oct 25, 2024 07:37:22.683593035 CEST	50748	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:37:22.690772057 CEST	53	50748	1.1.1.1	192.168.2.6
Oct 25, 2024 07:37:23.335145950 CEST	58573	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:37:29.286000013 CEST	50867	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:37:29.293513060 CEST	53	50867	1.1.1.1	192.168.2.6
Oct 25, 2024 07:38:03.687015057 CEST	61093	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:38:03.694489956 CEST	53	61093	1.1.1.1	192.168.2.6
Oct 25, 2024 07:38:03.695491076 CEST	54882	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:38:03.702898979 CEST	53	54882	1.1.1.1	192.168.2.6
Oct 25, 2024 07:39:25.198314905 CEST	52343	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:39:25.206612110 CEST	53	52343	1.1.1.1	192.168.2.6
Oct 25, 2024 07:39:25.208009005 CEST	54671	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:39:25.216085911 CEST	53	54671	1.1.1.1	192.168.2.6
Oct 25, 2024 07:39:25.216706991 CEST	54319	53	192.168.2.6	1.1.1.1
Oct 25, 2024 07:39:25.225333929 CEST	53	54319	1.1.1.1	192.168.2.6
Oct 25, 2024 07:39:25.851295948 CEST	62499	53	192.168.2.6	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 07:36:31.466510057 CEST	192.168.2.6	1.1.1.1	0x99ff	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:31.467396975 CEST	192.168.2.6	1.1.1.1	0x149e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:31.503310919 CEST	192.168.2.6	1.1.1.1	0x520d	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:31.511739969 CEST	192.168.2.6	1.1.1.1	0xae12	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:31.536613941 CEST	192.168.2.6	1.1.1.1	0xc401	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:31.537133932 CEST	192.168.2.6	1.1.1.1	0x6009	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 07:36:31.537554979 CEST	192.168.2.6	1.1.1.1	0xb27a	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 07:36:31.583733082 CEST	192.168.2.6	1.1.1.1	0x1e1f	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 25, 2024 07:36:32.382744074 CEST	192.168.2.6	1.1.1.1	0xbe82	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.383413076 CEST	192.168.2.6	1.1.1.1	0x4d8f	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.445369005 CEST	192.168.2.6	1.1.1.1	0x9f84	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.460688114 CEST	192.168.2.6	1.1.1.1	0x4419	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.469017029 CEST	192.168.2.6	1.1.1.1	0x220b	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 07:36:32.781069994 CEST	192.168.2.6	1.1.1.1	0xaf55	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.788732052 CEST	192.168.2.6	1.1.1.1	0xf8d4	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.813807964 CEST	192.168.2.6	1.1.1.1	0xe676	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.816726923 CEST	192.168.2.6	1.1.1.1	0x9a32	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.817337036 CEST	192.168.2.6	1.1.1.1	0xb16f	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.824096918 CEST	192.168.2.6	1.1.1.1	0x7360	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 07:36:32.825964928 CEST	192.168.2.6	1.1.1.1	0xbf99	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.826277971 CEST	192.168.2.6	1.1.1.1	0xc7e0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 07:36:32.833820105 CEST	192.168.2.6	1.1.1.1	0x7510	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 07:36:34.806885004 CEST	192.168.2.6	1.1.1.1	0x9a90	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:38.136137962 CEST	192.168.2.6	1.1.1.1	0x59f9	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:38.149281979 CEST	192.168.2.6	1.1.1.1	0xdcbb	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:38.159306049 CEST	192.168.2.6	1.1.1.1	0x9acf	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 07:36:38.625473022 CEST	192.168.2.6	1.1.1.1	0xa49	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:38.638573885 CEST	192.168.2.6	1.1.1.1	0xd219	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:38.646696091 CEST	192.168.2.6	1.1.1.1	0x8c25	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 07:36:42.722780943 CEST	192.168.2.6	1.1.1.1	0x785e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 07:36:42.835624933 CEST	192.168.2.6	1.1.1.1	0xda01	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:42.844984055 CEST	192.168.2.6	1.1.1.1	0xc277	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 07:36:43.128673077 CEST	192.168.2.6	1.1.1.1	0x767d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 07:36:45.373419046 CEST	192.168.2.6	1.1.1.1	0x15bc	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:45.395803928 CEST	192.168.2.6	1.1.1.1	0xbadc	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:45.403913021 CEST	192.168.2.6	1.1.1.1	0xc4de	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 07:36:48.222394943 CEST	192.168.2.6	1.1.1.1	0xafce	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 07:36:50.014801979 CEST	192.168.2.6	1.1.1.1	0x7767	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:50.025576115 CEST	192.168.2.6	1.1.1.1	0xebca	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 07:36:52.330573082 CEST	192.168.2.6	1.1.1.1	0x114d	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.330903053 CEST	192.168.2.6	1.1.1.1	0x7c20	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.331288099 CEST	192.168.2.6	1.1.1.1	0xa531	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338968039 CEST	192.168.2.6	1.1.1.1	0xfc50	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.339656115 CEST	192.168.2.6	1.1.1.1	0x7197	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.340039015 CEST	192.168.2.6	1.1.1.1	0x38f7	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.347160101 CEST	192.168.2.6	1.1.1.1	0xe194	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 25, 2024 07:36:52.347688913 CEST	192.168.2.6	1.1.1.1	0x46d2	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 25, 2024 07:36:52.348088980 CEST	192.168.2.6	1.1.1.1	0xebd5	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 25, 2024 07:36:52.355550051 CEST	192.168.2.6	1.1.1.1	0x62c2	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.356192112 CEST	192.168.2.6	1.1.1.1	0x35e2	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.364478111 CEST	192.168.2.6	1.1.1.1	0x8590	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.364479065 CEST	192.168.2.6	1.1.1.1	0x5e75	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.372343063 CEST	192.168.2.6	1.1.1.1	0x56a3	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 25, 2024 07:36:52.373760939 CEST	192.168.2.6	1.1.1.1	0x696a	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 25, 2024 07:36:59.531482935 CEST	192.168.2.6	1.1.1.1	0xefc2	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.538669109 CEST	192.168.2.6	1.1.1.1	0x5f5f	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.542294979 CEST	192.168.2.6	1.1.1.1	0x50b2	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 25, 2024 07:36:59.547169924 CEST	192.168.2.6	1.1.1.1	0x9b64	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.555759907 CEST	192.168.2.6	1.1.1.1	0x2e97	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 25, 2024 07:36:59.578727961 CEST	192.168.2.6	1.1.1.1	0xa5ac	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.603336096 CEST	192.168.2.6	1.1.1.1	0xb2a	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.615124941 CEST	192.168.2.6	1.1.1.1	0xb97f	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 07:37:01.966731071 CEST	192.168.2.6	1.1.1.1	0x1c1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:37:01.975390911 CEST	192.168.2.6	1.1.1.1	0xcb21	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 07:37:22.674995899 CEST	192.168.2.6	1.1.1.1	0xb5bc	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:37:22.683593035 CEST	192.168.2.6	1.1.1.1	0x7c80	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 07:37:23.335145950 CEST	192.168.2.6	1.1.1.1	0x6ffc	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:37:29.286000013 CEST	192.168.2.6	1.1.1.1	0x8b1	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 07:38:03.687015057 CEST	192.168.2.6	1.1.1.1	0xa9ec	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:38:03.695491076 CEST	192.168.2.6	1.1.1.1	0xaf11	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 07:39:25.198314905 CEST	192.168.2.6	1.1.1.1	0xc086	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:39:25.208009005 CEST	192.168.2.6	1.1.1.1	0x64c5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:39:25.216706991 CEST	192.168.2.6	1.1.1.1	0x83c3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 25, 2024 07:39:25.851295948 CEST	192.168.2.6	1.1.1.1	0x99da	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 07:36:31.472753048 CEST	1.1.1.1	192.168.2.6	0x277e	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:31.473521948 CEST	1.1.1.1	192.168.2.6	0x99ff	No error (0)	youtube.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:31.474462986 CEST	1.1.1.1	192.168.2.6	0x149e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:31.474462986 CEST	1.1.1.1	192.168.2.6	0x149e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:31.511032104 CEST	1.1.1.1	192.168.2.6	0x520d	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:31.519509077 CEST	1.1.1.1	192.168.2.6	0xae12	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:31.543858051 CEST	1.1.1.1	192.168.2.6	0xc401	No error (0)	youtube.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:31.544881105 CEST	1.1.1.1	192.168.2.6	0x6009	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 07:36:31.590981960 CEST	1.1.1.1	192.168.2.6	0x1e1f	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 25, 2024 07:36:32.389960051 CEST	1.1.1.1	192.168.2.6	0xbe82	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.390830994 CEST	1.1.1.1	192.168.2.6	0x4d8f	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.390830994 CEST	1.1.1.1	192.168.2.6	0x4d8f	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.453732014 CEST	1.1.1.1	192.168.2.6	0x9f84	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.468456984 CEST	1.1.1.1	192.168.2.6	0x4419	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.788971901 CEST	1.1.1.1	192.168.2.6	0xaf55	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:32.788971901 CEST	1.1.1.1	192.168.2.6	0xaf55	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.796782017 CEST	1.1.1.1	192.168.2.6	0xf8d4	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:32.796782017 CEST	1.1.1.1	192.168.2.6	0xf8d4	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.801409006 CEST	1.1.1.1	192.168.2.6	0xff67	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:32.801409006 CEST	1.1.1.1	192.168.2.6	0xff67	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.821432114 CEST	1.1.1.1	192.168.2.6	0xe676	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.823961973 CEST	1.1.1.1	192.168.2.6	0x9a32	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.824696064 CEST	1.1.1.1	192.168.2.6	0xb16f	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:32.824696064 CEST	1.1.1.1	192.168.2.6	0xb16f	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:32.824696064 CEST	1.1.1.1	192.168.2.6	0xb16f	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.833235979 CEST	1.1.1.1	192.168.2.6	0xbf99	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:32.841073036 CEST	1.1.1.1	192.168.2.6	0x7510	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 25, 2024 07:36:34.957840919 CEST	1.1.1.1	192.168.2.6	0x9a90	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:38.143574953 CEST	1.1.1.1	192.168.2.6	0x59f9	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:38.143574953 CEST	1.1.1.1	192.168.2.6	0x59f9	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:38.143574953 CEST	1.1.1.1	192.168.2.6	0x59f9	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:38.157445908 CEST	1.1.1.1	192.168.2.6	0xdcbb	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:38.632838964 CEST	1.1.1.1	192.168.2.6	0xa49	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:38.645875931 CEST	1.1.1.1	192.168.2.6	0xd219	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:42.776963949 CEST	1.1.1.1	192.168.2.6	0xc716	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:42.776963949 CEST	1.1.1.1	192.168.2.6	0xc716	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:42.832417965 CEST	1.1.1.1	192.168.2.6	0x533d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:42.843072891 CEST	1.1.1.1	192.168.2.6	0xda01	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:45.071820974 CEST	1.1.1.1	192.168.2.6	0xc88a	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:45.381392956 CEST	1.1.1.1	192.168.2.6	0x15bc	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:45.381392956 CEST	1.1.1.1	192.168.2.6	0x15bc	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:45.403127909 CEST	1.1.1.1	192.168.2.6	0xbadc	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:50.846776962 CEST	1.1.1.1	192.168.2.6	0x7767	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:50.846776962 CEST	1.1.1.1	192.168.2.6	0x7767	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338124037 CEST	1.1.1.1	192.168.2.6	0x114d	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338386059 CEST	1.1.1.1	192.168.2.6	0xa531	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338386059 CEST	1.1.1.1	192.168.2.6	0xa531	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338881016 CEST	1.1.1.1	192.168.2.6	0x7c20	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:52.338881016 CEST	1.1.1.1	192.168.2.6	0x7c20	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.346285105 CEST	1.1.1.1	192.168.2.6	0xfc50	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.347166061 CEST	1.1.1.1	192.168.2.6	0x38f7	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.347527027 CEST	1.1.1.1	192.168.2.6	0x7197	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.354770899 CEST	1.1.1.1	192.168.2.6	0xe194	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 07:36:52.354770899 CEST	1.1.1.1	192.168.2.6	0xe194	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 07:36:52.354770899 CEST	1.1.1.1	192.168.2.6	0xe194	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 07:36:52.354770899 CEST	1.1.1.1	192.168.2.6	0xe194	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 25, 2024 07:36:52.355494022 CEST	1.1.1.1	192.168.2.6	0x46d2	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 25, 2024 07:36:52.355654001 CEST	1.1.1.1	192.168.2.6	0xebd5	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 25, 2024 07:36:52.362735033 CEST	1.1.1.1	192.168.2.6	0x62c2	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:52.362735033 CEST	1.1.1.1	192.168.2.6	0x62c2	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.362735033 CEST	1.1.1.1	192.168.2.6	0x62c2	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.362735033 CEST	1.1.1.1	192.168.2.6	0x62c2	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.362735033 CEST	1.1.1.1	192.168.2.6	0x62c2	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.363251925 CEST	1.1.1.1	192.168.2.6	0x35e2	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.371624947 CEST	1.1.1.1	192.168.2.6	0x5e75	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.373326063 CEST	1.1.1.1	192.168.2.6	0x8590	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.373326063 CEST	1.1.1.1	192.168.2.6	0x8590	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.373326063 CEST	1.1.1.1	192.168.2.6	0x8590	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:52.373326063 CEST	1.1.1.1	192.168.2.6	0x8590	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.538356066 CEST	1.1.1.1	192.168.2.6	0xf709	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:59.538356066 CEST	1.1.1.1	192.168.2.6	0xf709	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.538793087 CEST	1.1.1.1	192.168.2.6	0xefc2	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.546073914 CEST	1.1.1.1	192.168.2.6	0x5f5f	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.546073914 CEST	1.1.1.1	192.168.2.6	0x5f5f	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.546073914 CEST	1.1.1.1	192.168.2.6	0x5f5f	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.546073914 CEST	1.1.1.1	192.168.2.6	0x5f5f	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.554641962 CEST	1.1.1.1	192.168.2.6	0x9b64	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.554641962 CEST	1.1.1.1	192.168.2.6	0x9b64	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.554641962 CEST	1.1.1.1	192.168.2.6	0x9b64	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.554641962 CEST	1.1.1.1	192.168.2.6	0x9b64	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.586776972 CEST	1.1.1.1	192.168.2.6	0xa5ac	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:36:59.586776972 CEST	1.1.1.1	192.168.2.6	0xa5ac	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:36:59.612073898 CEST	1.1.1.1	192.168.2.6	0xb2a	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:37:00.802046061 CEST	1.1.1.1	192.168.2.6	0xca1b	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:37:00.802046061 CEST	1.1.1.1	192.168.2.6	0xca1b	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:37:01.974219084 CEST	1.1.1.1	192.168.2.6	0x1c1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:37:22.682760954 CEST	1.1.1.1	192.168.2.6	0xb5bc	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:37:23.342415094 CEST	1.1.1.1	192.168.2.6	0x6ffc	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:37:23.342415094 CEST	1.1.1.1	192.168.2.6	0x6ffc	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:37:29.287795067 CEST	1.1.1.1	192.168.2.6	0x1643	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:38:03.694489956 CEST	1.1.1.1	192.168.2.6	0xa9ec	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:39:25.206612110 CEST	1.1.1.1	192.168.2.6	0xc086	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:39:25.216085911 CEST	1.1.1.1	192.168.2.6	0x64c5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 25, 2024 07:39:25.859512091 CEST	1.1.1.1	192.168.2.6	0x99da	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 25, 2024 07:39:25.859512091 CEST	1.1.1.1	192.168.2.6	0x99da	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49727	34.107.221.82	80	404	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 07:36:31.528311968 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:36:32.130609989 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61598 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:36:32.973011971 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:36:33.099575996 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61599 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49734	34.107.221.82	80	404	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 07:36:32.809154034 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49740	34.107.221.82	80	404	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 07:36:33.460750103 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:36:34.056672096 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70900 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49744	34.107.221.82	80	404	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 07:36:33.694906950 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:36:34.402648926 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61600 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:36:34.770469904 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:36:35.082004070 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61601 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:36:38.253010988 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:36:38.384017944 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61604 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:36:45.063610077 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:36:45.197304010 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61611 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:36:45.817640066 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:36:45.950527906 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61611 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:36:47.203176022 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:36:47.334698915 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61613 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:36:50.014157057 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:36:50.328246117 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:36:50.970372915 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61616 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:36:52.000735998 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:36:52.132255077 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61618 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:36:52.618760109 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:36:52.750611067 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61618 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:37:00.153486013 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:37:00.284315109 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61626 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:37:00.791335106 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:37:00.922152042 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61626 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:37:02.621598005 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:37:02.752800941 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61628 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:37:12.755434036 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:37:22.769097090 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:37:23.334691048 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:37:23.466275930 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61649 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:37:29.917994022 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:37:30.049688101 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61655 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:37:30.530576944 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:37:31.619019032 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61656 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:37:31.619103909 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61656 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:37:31.619126081 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61656 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:37:31.834301949 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61656 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:37:38.536349058 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:37:38.667704105 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61664 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:37:48.669651985 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:37:58.682729959 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:38:04.310388088 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:38:04.443300009 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61690 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 25, 2024 07:38:14.458883047 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:38:24.471808910 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:38:34.477519035 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:38:44.489746094 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:38:54.504050970 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:39:04.517045021 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:39:25.850940943 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 25, 2024 07:39:25.981827974 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 24 Oct 2024 12:29:54 GMT Age: 61771 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49746	34.107.221.82	80	404	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 07:36:34.716334105 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:36:35.310729980 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70902 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:36:38.252248049 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:36:38.376735926 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70905 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:36:42.825305939 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:36:42.950103998 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70909 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:36:45.452605009 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:36:45.577331066 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70912 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:36:45.953999996 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:36:46.080600977 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70913 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:36:48.224859953 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:36:48.349488020 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70915 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:36:50.974462032 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:36:51.099127054 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70918 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:36:52.335489035 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:36:52.460462093 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70919 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:36:52.753952980 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:36:52.878829002 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70919 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:37:00.287076950 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:37:00.411865950 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70927 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:37:00.924988031 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:37:01.049407005 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70927 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:37:02.756128073 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:37:02.893122911 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70929 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:37:12.893522978 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:37:22.900657892 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:37:23.469629049 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:37:23.594465017 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70950 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:37:30.057074070 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:37:30.181931019 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70957 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:37:31.622313023 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:37:31.954886913 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70958 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:37:38.670913935 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:37:38.795711040 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70965 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:37:48.801292896 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:37:58.814253092 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:38:04.447072029 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:38:04.572144985 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 70991 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 25, 2024 07:38:14.574798107 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:38:24.587766886 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:38:34.600069046 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:38:44.605767012 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:38:54.619883060 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:39:04.633032084 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 25, 2024 07:39:25.986279011 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 25, 2024 07:39:26.110693932 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 24 Oct 2024 09:54:53 GMT Age: 71073 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	01:36:23
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x3f0000
File size:	919'552 bytes
MD5 hash:	8412121D3D892E5CA7128D1173835C1B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.2230603947.0000000000D81000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:36:23
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xc60000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:36:23
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:36:25
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xc60000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:36:25
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:36:25
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xc60000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:36:25
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:36:26
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xc60000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:36:26
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:36:26
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xc60000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:36:26
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:36:26
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:36:26
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:36:26
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	01:36:27
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a783a8a-023a-4f1e-9dfc-eb9d41ddebd8} 404 "\\.\pipe\gecko-crash-server-pipe.404" 1bbbec6db10 socket
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	01:36:29
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3200 -parentBuildID 20230927232528 -prefsHandle 2156 -prefMapHandle 3768 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0994ad6b-3f15-49ad-97dc-6fd7db8108a2} 404 "\\.\pipe\gecko-crash-server-pipe.404" 1bbd1255210 rdd
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	01:36:43
Start date:	25/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5028 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5016 -prefsLen 33093 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d87c2df-334f-4077-865a-6233cc61f1dd} 404 "\\.\pipe\gecko-crash-server-pipe.404" 1bbce984510 utility
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	1580
Total number of Limit Nodes:	49

Executed Functions

Function 003F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003F430D

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

GetCurrentProcess.KERNEL32(?,0048CB64,00000000,?,?), ref: 003F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 003F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 003F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003F4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 003F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 003F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003F44A0

Strings

GetNativeSystemInfo, xrefs: 003F4460
|O, xrefs: 004336F8
kernel32.dll, xrefs: 003F444F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b1cee10e516bd46d09e9e84203cd76389c5e41f01ee8f8877ad728211e3f9a97
Instruction ID: 65b055973221c3423108a4a7dcaa7d479ff785e88e0267fcb6a57974a91e0508
Opcode Fuzzy Hash: b1cee10e516bd46d09e9e84203cd76389c5e41f01ee8f8877ad728211e3f9a97
Instruction Fuzzy Hash: EFA1C47191A2C4CFE753DB6A7C85DAA3FA46B67308F0459BAD84193B33D2344518CB2D

Function 003F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003F50AA,?,?,00000000,00000000), ref: 003F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003F50AA,?,?,00000000,00000000), ref: 003F42C9
LoadResource.KERNEL32(?,00000000,?,?,003F50AA,?,?,00000000,00000000,?,?,?,?,?,?,003F4F20), ref: 004335BE
SizeofResource.KERNEL32(?,00000000,?,?,003F50AA,?,?,00000000,00000000,?,?,?,?,?,?,003F4F20), ref: 004335D3
LockResource.KERNEL32(003F50AA,?,?,003F50AA,?,?,00000000,00000000,?,?,?,?,?,?,003F4F20,?), ref: 004335E6

Strings

SCRIPT, xrefs: 003F42BF

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 38f6b0277ae3b0bf739573af78d6a7df592dd7a971b8df99fb5a75bea15be1a7
Instruction ID: d841ef5974cce5aab0ff4c7c7e0e9e8dad976f45b40c04fb66ee835856dcc312
Opcode Fuzzy Hash: 38f6b0277ae3b0bf739573af78d6a7df592dd7a971b8df99fb5a75bea15be1a7
Instruction Fuzzy Hash: C3117C70600704BFD7228B65DC88F2B7BB9EBC5B51F2049BDB502966A0DB71D8008771

Function 00432BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 003F2B6B

Part of subcall function 003F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C1418,?,003F2E7F,?,?,?,00000000), ref: 003F3A78

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,004B2224), ref: 00432C10
ShellExecuteW.SHELL32(00000000,?,?,004B2224), ref: 00432C17

Strings

runas, xrefs: 00432C0B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 1645fa5344f3e007be86a1c6704bda4447d30fc71b1665536dd34927a7a919f3
Instruction ID: 38c4ee818cc67844554fe70f473565976caa44571bab50ed7e6bf58ab2c43841
Opcode Fuzzy Hash: 1645fa5344f3e007be86a1c6704bda4447d30fc71b1665536dd34927a7a919f3
Instruction Fuzzy Hash: 9211B431208309AAC707FF60D852EBEB7A4AF95340F44142EF6465B0A3CF35894A8716

Function 0045D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0045D501
Process32FirstW.KERNEL32(00000000,?), ref: 0045D50F
Process32NextW.KERNEL32(00000000,?), ref: 0045D52F
CloseHandle.KERNELBASE(00000000), ref: 0045D5DC

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2cc2602b677695b59403b0f8fd290b8d61cbe0844f5ccf255b1d20c4c4f68ef8
Instruction ID: ba7b20c07a640273a48932ee7f22237718b2e37a28945cdfb2240ae4bf29b8ec
Opcode Fuzzy Hash: 2cc2602b677695b59403b0f8fd290b8d61cbe0844f5ccf255b1d20c4c4f68ef8
Instruction Fuzzy Hash: 9131C971004304AFD311EF54C885B7F7BF8EF95344F10092EF585862A2EB719949CB92

Function 0045DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00435222), ref: 0045DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0045DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0045DBEE
FindClose.KERNEL32(00000000), ref: 0045DBFA

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9b4cfc1f2f108bfd37e059a3daacab74004c0a61c5395bfbef9206cfb4b92472
Instruction ID: a12e49bfc9c91cfecaf82d6b2d8c5e717d72b169da443c5135c3dcde2ff8c83f
Opcode Fuzzy Hash: 9b4cfc1f2f108bfd37e059a3daacab74004c0a61c5395bfbef9206cfb4b92472
Instruction Fuzzy Hash: DDF0A030C109109782316B78AC8D8AF37AC9E01336B144B5BF836C21E1EBB4595986AE

Function 00414CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004228E9,?,00414CBE,004228E9,004B88B8,0000000C,00414E15,004228E9,00000002,00000000,?,004228E9), ref: 00414D09
TerminateProcess.KERNEL32(00000000,?,00414CBE,004228E9,004B88B8,0000000C,00414E15,004228E9,00000002,00000000,?,004228E9), ref: 00414D10
ExitProcess.KERNEL32 ref: 00414D22

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5d96ef67b9d71852ff6882b3d65b39ccafd685b7f3dc23fa5f611618997fcf9f
Instruction ID: 487eb974f610ee8be72e0f53e71575d54e2d179270d4add0611e32685d7e8990
Opcode Fuzzy Hash: 5d96ef67b9d71852ff6882b3d65b39ccafd685b7f3dc23fa5f611618997fcf9f
Instruction Fuzzy Hash: B2E0B631400148ABCF21AF55ED49A993B69FB81B85B104429FC098A222CB39DD82DB98

Function 003FBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#L, xrefs: 004407CE

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#L
API String ID: 3964851224-1785973656
Opcode ID: be5d3aaecddabfb06e2e49be140d2d3f679e4b00e9a7c041700d62f31c7f710b
Instruction ID: 1bd03a119d0f59a1c514e434d16ec1cbdf2d30d06306d7ba55aebc11ed2562a8
Opcode Fuzzy Hash: be5d3aaecddabfb06e2e49be140d2d3f679e4b00e9a7c041700d62f31c7f710b
Instruction Fuzzy Hash: D4A2AC706083059FD721CF24C580B2BBBE5BF89304F14986EEA8A9B352D775EC45CB96

Function 0047AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0047B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047B1D4
_wcslen.LIBCMT ref: 0047B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047B236
_wcslen.LIBCMT ref: 0047B332

Part of subcall function 004605A7: GetStdHandle.KERNEL32(000000F6), ref: 004605C6

_wcslen.LIBCMT ref: 0047B34B
_wcslen.LIBCMT ref: 0047B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047B3B6
GetLastError.KERNEL32(00000000), ref: 0047B407
CloseHandle.KERNEL32(?), ref: 0047B439
CloseHandle.KERNEL32(00000000), ref: 0047B44A
CloseHandle.KERNEL32(00000000), ref: 0047B45C
CloseHandle.KERNEL32(00000000), ref: 0047B46E
CloseHandle.KERNEL32(?), ref: 0047B4E3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: d93059dfa6620e095ab3ca89c37a478a88aaf9b8672bca149ea158ca72dc5b58
Instruction ID: 1af12c3d673b1b983cc5350e35e3a6d32613947ac44c592da7cce824f3351053
Opcode Fuzzy Hash: d93059dfa6620e095ab3ca89c37a478a88aaf9b8672bca149ea158ca72dc5b58
Instruction Fuzzy Hash: 2EF19B315042409FC715EF25C891BABBBE5EF85314F14855EF8899B2A2CB38EC44CB96

Function 003FD730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003FD807
timeGetTime.WINMM ref: 003FDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003FDB28
TranslateMessage.USER32(?), ref: 003FDB7B
DispatchMessageW.USER32(?), ref: 003FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003FDB9F
Sleep.KERNELBASE(0000000A), ref: 003FDBB1

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: aac650e0e825f1b7a313593bc20fd11960c45c06ab82371f5405b2c9c5b77ad9
Instruction ID: c2d323f4624180da1c0d0607e50fdf0585a03f75de651d379a73b1a6a5e163da
Opcode Fuzzy Hash: aac650e0e825f1b7a313593bc20fd11960c45c06ab82371f5405b2c9c5b77ad9
Instruction Fuzzy Hash: B9420430604346EFE726CF24C888B7AB7A6BF45304F54492EF955873A1D7B4E844CB9A

Function 003F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003F2D07
RegisterClassExW.USER32(00000030), ref: 003F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003F2D42
InitCommonControlsEx.COMCTL32(?), ref: 003F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003F2D6F
LoadIconW.USER32(000000A9), ref: 003F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003F2D94

Strings

TaskbarCreated, xrefs: 003F2D37
+, xrefs: 003F2CF0
0, xrefs: 003F2CE9
AutoIt v3 GUI, xrefs: 003F2D23

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: fad3cef6dfe78fd91ec731ef2a6674f37ba630446f66f37a01709148756db7f9
Instruction ID: d150101ec41b0f835ecfed62eec4ad173a4b98d0ac5f8e67a3cfe46004bb8221
Opcode Fuzzy Hash: fad3cef6dfe78fd91ec731ef2a6674f37ba630446f66f37a01709148756db7f9
Instruction Fuzzy Hash: B421F2B1901309AFDB40DFA4EC89BDDBBB4FB09700F10852AFA11A62A0D7B54540CFA9

Function 0043065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043039A: CreateFileW.KERNELBASE(00000000,00000000,?,00430704,?,?,00000000,?,00430704,00000000,0000000C), ref: 004303B7

GetLastError.KERNEL32 ref: 0043076F
__dosmaperr.LIBCMT ref: 00430776
GetFileType.KERNELBASE(00000000), ref: 00430782
GetLastError.KERNEL32 ref: 0043078C
__dosmaperr.LIBCMT ref: 00430795
CloseHandle.KERNEL32(00000000), ref: 004307B5
CloseHandle.KERNEL32(?), ref: 004308FF
GetLastError.KERNEL32 ref: 00430931
__dosmaperr.LIBCMT ref: 00430938

Strings

H, xrefs: 004308BD

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: b999123f7d6627a579346d60ed143eed659f1280d41a9af9b1a32c6fd3d6a47a
Instruction ID: 6b4c31d0b55ef2f61066c398b51a7f7e1a59686e36fd769a5285a97b1c820eda
Opcode Fuzzy Hash: b999123f7d6627a579346d60ed143eed659f1280d41a9af9b1a32c6fd3d6a47a
Instruction Fuzzy Hash: 6BA12C32A001088FDF19EF68DC61BAE7BA09B09324F14125EF8159B3D1D7399D53CB59

Function 003F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C1418,?,003F2E7F,?,?,?,00000000), ref: 003F3A78

Part of subcall function 003F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003F3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004331CE
RegCloseKey.ADVAPI32(?), ref: 00433210
_wcslen.LIBCMT ref: 00433277
_wcslen.LIBCMT ref: 00433286

Strings

\, xrefs: 0043328C
Software\AutoIt v3\AutoIt, xrefs: 003F3560
Include, xrefs: 00433184, 004331C5
\Include\, xrefs: 003F3527

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: f42223399182fa492b93f5487f99d94ef50044513f0b2c45d049ea05c298eade
Instruction ID: 1cd5442bb64ef6617565d239eb81c1e7ba2bf5b483d70ac39d66969a33a76fa0
Opcode Fuzzy Hash: f42223399182fa492b93f5487f99d94ef50044513f0b2c45d049ea05c298eade
Instruction Fuzzy Hash: 1C718D714043449EC355EF65DD81D6BBBE8BF89340F40093EF945972B0EBB89A48CB6A

Function 003F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 003F2B9D
LoadIconW.USER32(00000063), ref: 003F2BB3
LoadIconW.USER32(000000A4), ref: 003F2BC5
LoadIconW.USER32(000000A2), ref: 003F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003F2BEF
RegisterClassExW.USER32(?), ref: 003F2C40

Part of subcall function 003F2CD4: GetSysColorBrush.USER32(0000000F), ref: 003F2D07
Part of subcall function 003F2CD4: RegisterClassExW.USER32(00000030), ref: 003F2D31
Part of subcall function 003F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003F2D42
Part of subcall function 003F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 003F2D5F
Part of subcall function 003F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003F2D6F
Part of subcall function 003F2CD4: LoadIconW.USER32(000000A9), ref: 003F2D85
Part of subcall function 003F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003F2D94

Strings

0, xrefs: 003F2C0F
AutoIt v3, xrefs: 003F2C2F
#, xrefs: 003F2C16

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f8c61952da7b72cde504477a840cf5ed72b05f9ef759e0ef3add1e1993923a62
Instruction ID: bfb0cd6216ea3bc25b7beec8806d276159abdecfd6132b49f4b493f37bad7caf
Opcode Fuzzy Hash: f8c61952da7b72cde504477a840cf5ed72b05f9ef759e0ef3add1e1993923a62
Instruction Fuzzy Hash: 2E214C70E00358ABEB509FA5EC85EAE7FB4FB49B54F00043AEA01A66B1D3B54550CF98

Function 003F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,003F316A,?,?), ref: 003F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,003F316A,?,?), ref: 003F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,003F316A,?,?), ref: 003F3232
CreatePopupMenu.USER32 ref: 003F3246
PostQuitMessage.USER32(00000000), ref: 003F3267

Strings

TaskbarCreated, xrefs: 003F322D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: e4a9ea9397732a30837014fba23b874d7ec400d5d239a2929b441e50faf634d9
Instruction ID: 7e2cf95654f0ed4deb10b222b929cd901332f19d02f5b0ae42bfd25645cd33de
Opcode Fuzzy Hash: e4a9ea9397732a30837014fba23b874d7ec400d5d239a2929b441e50faf634d9
Instruction Fuzzy Hash: D1411935240209B6EB163B78DD4AF7E3619E706348F04453BFB06866B2CBB9DA40D76D

Function 003F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003F1459
CoUninitialize.COMBASE ref: 003F14F8
UnregisterHotKey.USER32(?), ref: 003F16DD
DestroyWindow.USER32(?), ref: 004324B9
FreeLibrary.KERNEL32(?), ref: 0043251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0043254B

Strings

close all, xrefs: 003F1454

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 563a55d0c8b4a5504891f88f9c642070699fc345b570e8c477c196c62570d450
Instruction ID: 16ff33e4e9a09f1f0ce1ab8438eadc33e3d1b044eb1d8ba664dd3ab6a409c838
Opcode Fuzzy Hash: 563a55d0c8b4a5504891f88f9c642070699fc345b570e8c477c196c62570d450
Instruction Fuzzy Hash: B1D1CD31701212DFCB2AEF15D595B29F7A4BF09700F1041AEE94AAB261DB34ED12CF98

Function 003F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,003F1CAD,?), ref: 003F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,003F1CAD,?), ref: 003F2CCF

Strings

AutoIt v3, xrefs: 003F2C89, 003F2C8E, 003F2C8F
edit, xrefs: 003F2CAC

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8ace152a60f1e6998520029a94757ed2e9439e0746df089901aafaea7afe98dd
Instruction ID: cb6807ddfa8c349b550dc6b0ba5d3bcc17e3cedd92a66164528da3c1086a480c
Opcode Fuzzy Hash: 8ace152a60f1e6998520029a94757ed2e9439e0746df089901aafaea7afe98dd
Instruction Fuzzy Hash: C4F0D4B56402D07AFB711B27AC48E7B2EBDD7CBF64B11406EFD00A25B1C6751850DAB8

Function 003F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,003F3B0F,SwapMouseButtons,00000004,?), ref: 003F3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,003F3B0F,SwapMouseButtons,00000004,?), ref: 003F3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,003F3B0F,SwapMouseButtons,00000004,?), ref: 003F3B83

Strings

Control Panel\Mouse, xrefs: 003F3B3E

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 35e976c2053f2157473fec5205c43ff94ebebbc465c399ce52ec1dd6b98b90e5
Instruction ID: 8134270a2a92a796ddbbf04d5e29fbfcd8375d17960b1a58ebc70e2f9f1b5424
Opcode Fuzzy Hash: 35e976c2053f2157473fec5205c43ff94ebebbc465c399ce52ec1dd6b98b90e5
Instruction Fuzzy Hash: 6B112AB5511208FFDB228FA5DC94ABEB7BCEF05784B11486AA905D7210D2319E409764

Function 003F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004333A2

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 003F3A04

Strings

Line: , xrefs: 004333EB

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 20245c67c2aef61b988c13804a2f5b73b63824bf2f242b16343e3fa9d1737e9a
Instruction ID: 5bf7fccd08c82845ef5e2a3be71ff9f2b6e7319d4444be06bdd48e536fe11cbe
Opcode Fuzzy Hash: 20245c67c2aef61b988c13804a2f5b73b63824bf2f242b16343e3fa9d1737e9a
Instruction Fuzzy Hash: 4431F671408308AAD322EB20DC45FFFB7E8AB45714F10492FFA99871A1DB749A48C7D6

Function 003F2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00432C8C

Part of subcall function 003F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003F3A97,?,?,003F2E7F,?,?,?,00000000), ref: 003F3AC2

Part of subcall function 003F2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003F2DC4

Strings

`eK, xrefs: 00432C85
X, xrefs: 00432C5A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eK
API String ID: 779396738-1346537380
Opcode ID: 00a3d213ee1c8a27cd506201949b0684678050293de055b75c7589361d4d0e4e
Instruction ID: 4d216a2b983eae82d93032a25bc849f3dc27e6623970c1ca2f7626888c175191
Opcode Fuzzy Hash: 00a3d213ee1c8a27cd506201949b0684678050293de055b75c7589361d4d0e4e
Instruction Fuzzy Hash: 96219371A0029C9BDF02DF95C845BEE7BFCAF49304F00805AE505AB241DBB85A898F65

Function 0040FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00410668

Part of subcall function 004132A4: RaiseException.KERNEL32(?,?,?,0041068A,?,004C1444,?,?,?,?,?,?,0041068A,003F1129,004B8738,003F1129), ref: 00413304

__CxxThrowException@8.LIBVCRUNTIME ref: 00410685

Strings

Unknown exception, xrefs: 00410692

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 444b8ae13ddc1e08d2d64927674e80af0b27e7bf2053984ba9db83ebdc582574
Instruction ID: 25b58e9dd00dabb8604053a941049d324499e1fde9e684c9002ce85352ccf7fb
Opcode Fuzzy Hash: 444b8ae13ddc1e08d2d64927674e80af0b27e7bf2053984ba9db83ebdc582574
Instruction Fuzzy Hash: 83F0283480030C77CB00BA65DC46DDE776D5E00344B60447BB818A19D1EFBDDADAC58C

Function 003F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003F1BF4
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 003F1BFC
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003F1C07
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003F1C12
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 003F1C1A
Part of subcall function 003F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 003F1C22

Part of subcall function 003F1B4A: RegisterWindowMessageW.USER32(00000004,?,003F12C4), ref: 003F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003F136A
OleInitialize.OLE32 ref: 003F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 004324AB

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 7b75df7ba1957b0be4f25a8544b78cc9142b1f6145d9096bcecf445f8dad1bcb
Instruction ID: d42dd8fe5398738003e78aa31e93bfc8e09452e6c2f0e273aa1b7fae4c113727
Opcode Fuzzy Hash: 7b75df7ba1957b0be4f25a8544b78cc9142b1f6145d9096bcecf445f8dad1bcb
Instruction Fuzzy Hash: 15719DB8915204AFC3C4EF7AA945E653AE0BB8A344754857ED10ACB373EB348411CF6D

Function 0045C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 003F3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0045C259
KillTimer.USER32(?,00000001,?,?), ref: 0045C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0045C270

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 66f08dff9ba86543429e716d7a1dd1196afb2406adc965a5a47598e712a01b43
Instruction ID: d9736c2ea298acead6ed00807cf055aef53e391274ee2dd565272bc3f9b632f1
Opcode Fuzzy Hash: 66f08dff9ba86543429e716d7a1dd1196afb2406adc965a5a47598e712a01b43
Instruction Fuzzy Hash: 8031CA709043446FEB228F648895BDBBBEC9B06305F0004DEE9D997242C7785A89CB55

Function 004286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004285CC,?,004B8CC8,0000000C), ref: 00428704
GetLastError.KERNEL32(?,004285CC,?,004B8CC8,0000000C), ref: 0042870E
__dosmaperr.LIBCMT ref: 00428739

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 4d8b93df137bab6849b0abe4c9433979cf5c79c647cfea4994315b2046695a5f
Instruction ID: 98e9af1c21c9f16a7be109a2694fc076fb17bcdfe0bc6e2884a96aa2092032d7
Opcode Fuzzy Hash: 4d8b93df137bab6849b0abe4c9433979cf5c79c647cfea4994315b2046695a5f
Instruction Fuzzy Hash: 3C012B3270663026D664A2357849B7F67594F91779FB9012FFC148B2D3DEBD8C82829C

Function 003FDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 003FDB7B
DispatchMessageW.USER32(?), ref: 003FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003FDB9F
Sleep.KERNELBASE(0000000A), ref: 003FDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00441CC9

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: cbb8efe78955d4e604aac87f445e70ede2d3c4630721a56fb11243444d5ac171
Instruction ID: c859d189846ad58369ffdd27874dcb9e17fa86b16d4e4692d78429af34a4842b
Opcode Fuzzy Hash: cbb8efe78955d4e604aac87f445e70ede2d3c4630721a56fb11243444d5ac171
Instruction Fuzzy Hash: B5F05E306043459BEB30DB608C89FAA73ADEB45350F104A2AE60A830E0DB3494889B2D

Function 00401310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004017F6

Strings

CALL, xrefs: 004017C6

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 27f3158005ebd0a49093872ed68e7676d30d6d8e01c7d8cef4d4884789504dd6
Instruction ID: 34246cf11f6dba799eb682630f94ed96fe3260e9cda5e42e80c2c0e8fd571d54
Opcode Fuzzy Hash: 27f3158005ebd0a49093872ed68e7676d30d6d8e01c7d8cef4d4884789504dd6
Instruction Fuzzy Hash: 9822AE706083419FD714DF15C880B2ABBF1BF85318F14892EF486AB3A1D779E945CB9A

Function 003F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 003F3908

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4d09886764d0aed2ccf6d960c1ff13c7a06818ef303a53e911dca3483a145340
Instruction ID: 2fdfb64ce8883bd6e6133c9525237989cba79af8320890d076a0bdb95453694e
Opcode Fuzzy Hash: 4d09886764d0aed2ccf6d960c1ff13c7a06818ef303a53e911dca3483a145340
Instruction Fuzzy Hash: D731F7705043049FE761DF24D884BA7BBF8FF49748F00082EFA9987261D775AA48CB56

Function 0040F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0040F661

Part of subcall function 003FD730: GetInputState.USER32 ref: 003FD807

Sleep.KERNEL32(00000000), ref: 0044F2DE

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 64992f6d31102e7949b3c2eca4b1e4604d1b3f7f09892d6ccdf7abbf928b827a
Instruction ID: b073f88defa0147e8702d0e1ad5ddc88a9601dfd30af7d351487f091e7024df3
Opcode Fuzzy Hash: 64992f6d31102e7949b3c2eca4b1e4604d1b3f7f09892d6ccdf7abbf928b827a
Instruction Fuzzy Hash: 04F08C712402099FD310EF69D499B6AB7E9FF46760F00043AE95DCB6A0DB70A804CFA5

Function 003F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003F4EDD,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E9C
Part of subcall function 003F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003F4EAE
Part of subcall function 003F4E90: FreeLibrary.KERNEL32(00000000,?,?,003F4EDD,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4EFD

Part of subcall function 003F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00433CDE,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E62
Part of subcall function 003F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003F4E74
Part of subcall function 003F4E59: FreeLibrary.KERNEL32(00000000,?,?,00433CDE,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E87

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: c0481ef253b6001c04fa6a45314aa8dd384696e479d87e67175133a4934a13c1
Instruction ID: 4befcbfb60330fab374d7ed69425debcaceff2151d42eea440f8930c58629fa4
Opcode Fuzzy Hash: c0481ef253b6001c04fa6a45314aa8dd384696e479d87e67175133a4934a13c1
Instruction Fuzzy Hash: 2A11C432610309AACB16BF60DC02FBE77A5AF54711F10442EF646AA1C1EE749A459754

Function 00428402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00428440

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 055ba1b6159ae2e1dfd1874c1389d1dbb52a61d1bf20343ff8caca708035630d
Instruction ID: 70162e2c190b87383a57f39c932a33c805c569f76856d04f10e7a51082b8de19
Opcode Fuzzy Hash: 055ba1b6159ae2e1dfd1874c1389d1dbb52a61d1bf20343ff8caca708035630d
Instruction Fuzzy Hash: AF111C75A0410AAFCB15DF58E94199F7BF5EF48314F14405AF804AB311EA31DA21CB69

Function 00425000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00424C7D: RtlAllocateHeap.NTDLL(00000008,003F1129,00000000,?,00422E29,00000001,00000364,?,?,?,0041F2DE,00423863,004C1444,?,0040FDF5,?), ref: 00424CBE

_free.LIBCMT ref: 0042506C

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: b7aa4ace691c3fa9388ad823ca72a9b2d79f95fd92dbd8f54c6512465cf70c33
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: BB014E723047146BE3318F55EC4195AFBECFB89370FA5051EE184932C0EA746805C778

Function 0041E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: d6336db541ff7d66c6c3f37d936961023c9d9317fea76cbb03a445c41efcebf8
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: E2F0F936611A20A6C6313A679C05BDB33989F62338FD0071FF821922D2DB7C948285AD

Function 003F9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003F9CBD

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e3729318da0625df3177be3d2dedafd8373ba970bdd684dae7d099189324e7ba
Instruction ID: c2d11b020278db885aeabfee37e863a9c0e94144a57a5bdf8a2a524053a5c941
Opcode Fuzzy Hash: e3729318da0625df3177be3d2dedafd8373ba970bdd684dae7d099189324e7ba
Instruction Fuzzy Hash: 5DF0F4B22006046ED7219F29C802BA6BB98EB84760F10853FFA19CB5D1DB35E45486A4

Function 00424C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,003F1129,00000000,?,00422E29,00000001,00000364,?,?,?,0041F2DE,00423863,004C1444,?,0040FDF5,?), ref: 00424CBE

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ae0cfb8d460c7452d14d27c24fc40a82999089a9b1966282effc371482bd7829
Instruction ID: 481b8a76f8ebd0726c1620381c01897e6a32763c8268bfc426008805032caf7f
Opcode Fuzzy Hash: ae0cfb8d460c7452d14d27c24fc40a82999089a9b1966282effc371482bd7829
Instruction Fuzzy Hash: 38F0B43170223467DB215F6BBC09B9B3788EFC17A4B564127B819A73D1CB79D80286AC

Function 00423820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e47686cac375aee37fb6717ffe37416794123936ba12cb01dc2fc74281a225f4
Instruction ID: c082febc26968f9271e9f87bf8f1d85995961c632468083047aa9a919ea7aad5
Opcode Fuzzy Hash: e47686cac375aee37fb6717ffe37416794123936ba12cb01dc2fc74281a225f4
Instruction Fuzzy Hash: 32E0A73230023456D6213E67BC04B9B36E9AB42BF6B550027BD059A6D1CB2DDD0245AD

Function 003F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4F6D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f0e73bc6dfee550889757df8e27d5d3347318757465732d7f0b8e96319b8cc06
Instruction ID: 730a743a23cd5328075d42e7c2cf07edb240f1bde0f2bc1607aec5310534251d
Opcode Fuzzy Hash: f0e73bc6dfee550889757df8e27d5d3347318757465732d7f0b8e96319b8cc06
Instruction Fuzzy Hash: D2F03971505756CFDB369F65E494827BBE4AF14329321897EE2EE82A21CB319888DF10

Function 00482A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00482A66

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e2bb0989e927950d800039ea83520f2146f32e607eed202a63ccaf3d166faee3
Instruction ID: 84cd9b70cde473e9017d8e9f5c4bc7ddc0ec2016d8624a117964019b42720553
Opcode Fuzzy Hash: e2bb0989e927950d800039ea83520f2146f32e607eed202a63ccaf3d166faee3
Instruction Fuzzy Hash: 83E04F76350116AAC718FA31DD808FE735CEF5039A710493BAC26D6211EB78999687A8

Function 003F30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 003F314E

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: de0d638dd16f1f609804fefca6494069c69854720e914ade67775dc435bdca06
Instruction ID: 52ea27b164f0d109d3d717c5c146914d1f4e8f89de96e8d7a6fc7303d3ac6d3c
Opcode Fuzzy Hash: de0d638dd16f1f609804fefca6494069c69854720e914ade67775dc435bdca06
Instruction Fuzzy Hash: 0DF037709143589FF7929B64DC45BD97BBCBB0170CF0000F9AA48962A2D7745798CF55

Function 003F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003F2DC4

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: bfc7144cba22afa4d10cc29b016370bb63ef9425329517520c7c1f7a1f621bb0
Instruction ID: 86f84363ddd292d969d236cdcdcd2105cb0b7f9d98f39792dfc7ffceee67c1d0
Opcode Fuzzy Hash: bfc7144cba22afa4d10cc29b016370bb63ef9425329517520c7c1f7a1f621bb0
Instruction Fuzzy Hash: E8E0CD72A001245BC711A2599C06FEA77DDDFC8790F0400B5FD09D7258D974AD808654

Function 003F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003F3908

Part of subcall function 003FD730: GetInputState.USER32 ref: 003FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 003F2B6B

Part of subcall function 003F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 003F314E

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 4aa4c75e6ab31b9db5937063096e79e08ec7f5a008098b8e11dcdca15b81083f
Instruction ID: 4ab26b05608988dafcf4a0256790ff4c262fcd72a1929b3a555594ba0161244c
Opcode Fuzzy Hash: 4aa4c75e6ab31b9db5937063096e79e08ec7f5a008098b8e11dcdca15b81083f
Instruction Fuzzy Hash: 51E0863130424D06C60ABB759856A7DA759DBD2352F40153FF7464B163CF2489494356

Function 0043039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00430704,?,?,00000000,?,00430704,00000000,0000000C), ref: 004303B7

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6a6fc04cf4828178c2204c10cf304cbe6646b1b9493a252b912170b3f24217c7
Instruction ID: d8207d25fba0f6e373fad7f4ce4beb1bb1fc988c68a86d93079d3847a9d8459d
Opcode Fuzzy Hash: 6a6fc04cf4828178c2204c10cf304cbe6646b1b9493a252b912170b3f24217c7
Instruction Fuzzy Hash: 6CD06C3204010DBBDF028F84DD86EDA3BAAFB48714F014010BE1856020C732E821AB94

Function 003F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 003F1CBC

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: cb097745c172409f9c24ed381dda0df50bad7b56495c39a588a566205fd0aee3
Instruction ID: 32d945c50b8637ebd5a6344e7a18b3783812a0b046941af8aecc4f4b7364a3f9
Opcode Fuzzy Hash: cb097745c172409f9c24ed381dda0df50bad7b56495c39a588a566205fd0aee3
Instruction Fuzzy Hash: 98C09B35280314BFF6545780BD4AF157754A348B04F044411FA09555F3C3F11410D758

Non-executed Functions

Function 00489576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0048969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004896C9
SendMessageW.USER32 ref: 004896F2
GetKeyState.USER32(00000011), ref: 0048978B
GetKeyState.USER32(00000009), ref: 00489798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004897AE
GetKeyState.USER32(00000010), ref: 004897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004897E9
SendMessageW.USER32 ref: 00489810
SendMessageW.USER32(?,00001030,?,00487E95), ref: 00489918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00489941
SetCapture.USER32(?), ref: 0048994A
ClientToScreen.USER32(?,?), ref: 004899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004899D6
ReleaseCapture.USER32 ref: 004899E1
GetCursorPos.USER32(?), ref: 00489A19
ScreenToClient.USER32(?,?), ref: 00489A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00489A80
SendMessageW.USER32 ref: 00489AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00489AEB
SendMessageW.USER32 ref: 00489B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00489B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00489B4A
GetCursorPos.USER32(?), ref: 00489B68
ScreenToClient.USER32(?,?), ref: 00489B75
GetParent.USER32(?), ref: 00489B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00489BFA
SendMessageW.USER32 ref: 00489C2B
ClientToScreen.USER32(?,?), ref: 00489C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00489CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00489CDE
SendMessageW.USER32 ref: 00489D01
ClientToScreen.USER32(?,?), ref: 00489D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00489D82

Part of subcall function 00409944: GetWindowLongW.USER32(?,000000EB), ref: 00409952

GetWindowLongW.USER32(?,000000F0), ref: 00489E05

Strings

F, xrefs: 00489D07
@GUI_DRAGID, xrefs: 0048997D
p#L, xrefs: 00489990

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#L
API String ID: 3429851547-2489550902
Opcode ID: 5c4092eb4138fbc5d00754ac752019c38c67b4070dd48b959b2e095b5e913d2b
Instruction ID: f633a265bba9722d2351badf29d24c3c239b6685b30b448ce8d0fba5898ddef3
Opcode Fuzzy Hash: 5c4092eb4138fbc5d00754ac752019c38c67b4070dd48b959b2e095b5e913d2b
Instruction Fuzzy Hash: 36427B74204601AFD725EF24CC84EBEBBE5EF49310F180A2EF659972A1E735AC50CB59

Function 00484873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00484908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00484927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0048494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0048495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0048497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00484A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00484A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00484A7E
IsMenu.USER32(?), ref: 00484A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00484AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00484B20
GetWindowLongW.USER32(?,000000F0), ref: 00484B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00484BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00484C82
wsprintfW.USER32 ref: 00484CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00484CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00484CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00484D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00484D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00484D5A

Strings

%d/%02d/%02d, xrefs: 00484CA8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: b0a78a4e9ba3661fe907b4897e8211b389e147ec53632f500836601f26f4a44d
Instruction ID: 7fe0079997798d8a31590167c5497605e83a0aa2859e9ae0cde8744b56a6c5ef
Opcode Fuzzy Hash: b0a78a4e9ba3661fe907b4897e8211b389e147ec53632f500836601f26f4a44d
Instruction Fuzzy Hash: EC120171500255ABEB25AF24CC49FAF7BF8AF85300F10492EFA15EB2E1D7789941CB58

Function 0040F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0040F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044F474
IsIconic.USER32(00000000), ref: 0044F47D
ShowWindow.USER32(00000000,00000009), ref: 0044F48A
SetForegroundWindow.USER32(00000000), ref: 0044F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0044F4AA
GetCurrentThreadId.KERNEL32 ref: 0044F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0044F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0044F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0044F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0044F4DE
SetForegroundWindow.USER32(00000000), ref: 0044F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044F4F6
keybd_event.USER32(00000012,00000000), ref: 0044F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044F50B
keybd_event.USER32(00000012,00000000), ref: 0044F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044F519
keybd_event.USER32(00000012,00000000), ref: 0044F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044F528
keybd_event.USER32(00000012,00000000), ref: 0044F52D
SetForegroundWindow.USER32(00000000), ref: 0044F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0044F557

Strings

Shell_TrayWnd, xrefs: 0044F46F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8d8e68f77f8b3d2c62c95da8fbfebde7aa887a1c04bcdc22de93cd4745deb967
Instruction ID: c52cb7260694c843876bb6d7bdde4087a795f10093468c38476cc509c5c90d5e
Opcode Fuzzy Hash: 8d8e68f77f8b3d2c62c95da8fbfebde7aa887a1c04bcdc22de93cd4745deb967
Instruction Fuzzy Hash: 10315271A40228BBFB206BB55C8AFBF7E6CEB44B50F10043AF601E61D1D6B45D00AB79

Function 00451201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045170D
Part of subcall function 004516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0045173A
Part of subcall function 004516C3: GetLastError.KERNEL32 ref: 0045174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00451286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004512A8
CloseHandle.KERNEL32(?), ref: 004512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004512D1
GetProcessWindowStation.USER32 ref: 004512EA
SetProcessWindowStation.USER32(00000000), ref: 004512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00451310

Part of subcall function 004510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004511FC), ref: 004510D4
Part of subcall function 004510BF: CloseHandle.KERNEL32(?,?,004511FC), ref: 004510E9

Strings

, xrefs: 0045125A
winsta0, xrefs: 004512CC
default, xrefs: 0045130B
ZK, xrefs: 00451392

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZK
API String ID: 22674027-314871684
Opcode ID: 9f85ecc478a590b8aabff2a6536afd7743301daf207426b6f6b70457efc26f72
Instruction ID: bd90cc5168fff163f2adba40d72f418b147b3928d9fe2f49864f36465760e3c2
Opcode Fuzzy Hash: 9f85ecc478a590b8aabff2a6536afd7743301daf207426b6f6b70457efc26f72
Instruction Fuzzy Hash: A5818071900209ABDF119FA4DC89FEF7BB9EF05705F14412AFD10B62A1D7788949CB68

Function 00450B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00451114
Part of subcall function 004510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451120
Part of subcall function 004510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 0045112F
Part of subcall function 004510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451136
Part of subcall function 004510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0045114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00450BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00450C00
GetLengthSid.ADVAPI32(?), ref: 00450C17
GetAce.ADVAPI32(?,00000000,?), ref: 00450C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00450C6D
GetLengthSid.ADVAPI32(?), ref: 00450C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00450C8C
HeapAlloc.KERNEL32(00000000), ref: 00450C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00450CB4
CopySid.ADVAPI32(00000000), ref: 00450CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00450CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00450D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00450D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450D45
HeapFree.KERNEL32(00000000), ref: 00450D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450D55
HeapFree.KERNEL32(00000000), ref: 00450D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450D65
HeapFree.KERNEL32(00000000), ref: 00450D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00450D78
HeapFree.KERNEL32(00000000), ref: 00450D7F

Part of subcall function 00451193: GetProcessHeap.KERNEL32(00000008,00450BB1,?,00000000,?,00450BB1,?), ref: 004511A1
Part of subcall function 00451193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00450BB1,?), ref: 004511A8
Part of subcall function 00451193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00450BB1,?), ref: 004511B7

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 043f2300b61087703898eb2f9bbeef0440c6b14ca8897de4f35b984961cd45e5
Instruction ID: 073291be1dafe2583aeb4b706fc6174b64cce2e4df479bbc91933e632a99602a
Opcode Fuzzy Hash: 043f2300b61087703898eb2f9bbeef0440c6b14ca8897de4f35b984961cd45e5
Instruction Fuzzy Hash: 9B716E7590020AABDF109FE4DC84FEFBBB8BF05341F14452AED14A6292D779A909CB74

Function 0046EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0048CC08), ref: 0046EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0046EB37
GetClipboardData.USER32(0000000D), ref: 0046EB43
CloseClipboard.USER32 ref: 0046EB4F
GlobalLock.KERNEL32(00000000), ref: 0046EB87
CloseClipboard.USER32 ref: 0046EB91
GlobalUnlock.KERNEL32(00000000), ref: 0046EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0046EBC9
GetClipboardData.USER32(00000001), ref: 0046EBD1
GlobalLock.KERNEL32(00000000), ref: 0046EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0046EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0046EC38
GetClipboardData.USER32(0000000F), ref: 0046EC44
GlobalLock.KERNEL32(00000000), ref: 0046EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0046EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0046EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0046ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0046ECF3
CountClipboardFormats.USER32 ref: 0046ED14
CloseClipboard.USER32 ref: 0046ED59

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: dae771855832b2eaa9a3583124490b6b30cd2ed757b157a1e5655d8ed22d9b48
Instruction ID: 0684fe9e9a54b24bb3d0b691779ee7251aaa38a0ec38b171573f140777eff25d
Opcode Fuzzy Hash: dae771855832b2eaa9a3583124490b6b30cd2ed757b157a1e5655d8ed22d9b48
Instruction Fuzzy Hash: C661E038204206AFD301EF21D884F3E77E4AF84744F14486EF5469B2A2EB35ED46CB66

Function 0046698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004669BE
FindClose.KERNEL32(00000000), ref: 00466A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00466A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00466A75

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00466AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00466ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00466B6A
%02d, xrefs: 00466C00, 00466C0A, 00466C5A, 00466CAA, 00466CFA, 00466D4A
%4d, xrefs: 00466BB1
%03d, xrefs: 00466DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00466B32

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c91207828371557b08eea56b8c737ef8825e2202f4f502367c75ed1054456a66
Instruction ID: bba600e9add7e16b1fd8e4686386a8a29d899c4e05b35af22a86b3cd2da9979b
Opcode Fuzzy Hash: c91207828371557b08eea56b8c737ef8825e2202f4f502367c75ed1054456a66
Instruction Fuzzy Hash: 7CD15271508304AFC711EBA4C995EBFB7ECAF88704F04491EF685D6291EB78DA44CB62

Function 00469642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00469663
GetFileAttributesW.KERNEL32(?), ref: 004696A1
SetFileAttributesW.KERNEL32(?,?), ref: 004696BB
FindNextFileW.KERNEL32(00000000,?), ref: 004696D3
FindClose.KERNEL32(00000000), ref: 004696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0046974A
SetCurrentDirectoryW.KERNEL32(004B6B7C), ref: 00469768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00469772
FindClose.KERNEL32(00000000), ref: 0046977F
FindClose.KERNEL32(00000000), ref: 0046978F

Strings

*.*, xrefs: 004696F5

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 17ea7cf86a05b511cce8368dcbbb00d687e531836ae481451436fdafd66a5913
Instruction ID: 7fe6b5ed52448be8fe6326f01f411f5e07291da937c7bea5d27ea174840358f3
Opcode Fuzzy Hash: 17ea7cf86a05b511cce8368dcbbb00d687e531836ae481451436fdafd66a5913
Instruction Fuzzy Hash: 2D31C532500219AADF14AFB4DC48AEF77AC9F49321F1045ABF805E2190EB78DD448F2D

Function 0046979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 004697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00469819
FindClose.KERNEL32(00000000), ref: 00469824
FindFirstFileW.KERNEL32(*.*,?), ref: 00469840
SetCurrentDirectoryW.KERNEL32(?), ref: 00469890
SetCurrentDirectoryW.KERNEL32(004B6B7C), ref: 004698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004698B8
FindClose.KERNEL32(00000000), ref: 004698C5
FindClose.KERNEL32(00000000), ref: 004698D5

Part of subcall function 0045DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0045DB00

Strings

*.*, xrefs: 0046983B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 3a2714aec42666de0049f63ba8102555422203971584de527f71cb83a0ffb4e8
Instruction ID: 85cb781c52fcea0d495235fcb5a3e89966cc2c3acec5e091c4662929bd4dd289
Opcode Fuzzy Hash: 3a2714aec42666de0049f63ba8102555422203971584de527f71cb83a0ffb4e8
Instruction Fuzzy Hash: 0B31C532500219AADB10BFB5EC48ADF77AC9F46324F1445ABE810A31D0EB78DD85CB6D

Function 0047BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047C9F1
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA68
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0047BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0047BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0047C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0047C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0047C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0047C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0047C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0047C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0047C382
RegCloseKey.ADVAPI32(00000000), ref: 0047C38F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: a242c4a3f30fd9b124ded955874a82e197c5063a36c651632ad8c4db669fab77
Instruction ID: d5236cfd69491b83aed463b0d66dbe7f4694735df460c04d40af01b1528fe834
Opcode Fuzzy Hash: a242c4a3f30fd9b124ded955874a82e197c5063a36c651632ad8c4db669fab77
Instruction Fuzzy Hash: 94023B716042009FC715CF24C8D1E6ABBE5EF49308F18C4AEE84ADB2A2D735ED45CB95

Function 00468195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00468257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00468267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00468273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00468310
SetCurrentDirectoryW.KERNEL32(?), ref: 00468324
SetCurrentDirectoryW.KERNEL32(?), ref: 00468356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0046838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00468395

Strings

*.*, xrefs: 0046839B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 334648b0c3e877e6284be7ece79e463045a82e86158272a972a6550ac24e5f63
Instruction ID: 580c564203e25b3d38197bda0a6cf15bfac57c5bce2014f552f7f62c801850e5
Opcode Fuzzy Hash: 334648b0c3e877e6284be7ece79e463045a82e86158272a972a6550ac24e5f63
Instruction Fuzzy Hash: 0D615CB25043499FCB10EF60C8509AFB3E8FF89314F04496EF98997251EB39E945CB96

Function 0045D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003F3A97,?,?,003F2E7F,?,?,?,00000000), ref: 003F3AC2

Part of subcall function 0045E199: GetFileAttributesW.KERNEL32(?,0045CF95), ref: 0045E19A

FindFirstFileW.KERNEL32(?,?), ref: 0045D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0045D1DD
MoveFileW.KERNEL32(?,?), ref: 0045D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0045D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0045D237

Part of subcall function 0045D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0045D21C,?,?), ref: 0045D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0045D253
FindClose.KERNEL32(00000000), ref: 0045D264

Strings

\*.*, xrefs: 0045D0CD, 0045D0D6, 0045D0EB

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: f6c1eb38c2f2ea1214e9295966cff059f5c2f5c4e91cc1bb01d38927b7b94f4f
Instruction ID: a7c9c34f7002463335195d8d3a90de3284d034a3137ab6b2e17d23735afa76f2
Opcode Fuzzy Hash: f6c1eb38c2f2ea1214e9295966cff059f5c2f5c4e91cc1bb01d38927b7b94f4f
Instruction Fuzzy Hash: 52617131C0110D9ACF16EBE1DA92AFEB7B5AF15341F2041AAE90177292EB345F0DCB65

Function 0046ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0046ED91
EmptyClipboard.USER32 ref: 0046ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0046EDAC
CloseClipboard.USER32 ref: 0046EEA3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6af8a6af3dafccd5ca04f38202dd9999767cd4289a2844c919f69a5ddeda336d
Instruction ID: e6a54b33e787f372e2cb1b64593f0cfe80895025e0ed091e825c0dbad0e58e01
Opcode Fuzzy Hash: 6af8a6af3dafccd5ca04f38202dd9999767cd4289a2844c919f69a5ddeda336d
Instruction Fuzzy Hash: 7841A0356046119FE310CF16D888F1ABBE1EF44318F14C4AEE4158B762D73AEC42CB95

Function 0045E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045170D
Part of subcall function 004516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0045173A
Part of subcall function 004516C3: GetLastError.KERNEL32 ref: 0045174A

ExitWindowsEx.USER32(?,00000000), ref: 0045E932

Strings

SeShutdownPrivilege, xrefs: 0045E902
, xrefs: 0045E95C
, xrefs: 0045E920
@, xrefs: 0045E925

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8644926976658be5dfa38ae75ccf324f0ffe35feb6db14f092ec66c74371ed81
Instruction ID: 311e2eccae07cfcdfa21d9a18e121fdb29cf93231e140cfba40e8c7a28c5d6e0
Opcode Fuzzy Hash: 8644926976658be5dfa38ae75ccf324f0ffe35feb6db14f092ec66c74371ed81
Instruction Fuzzy Hash: DF012BB2A10210ABEB1826B6AC86FBF725C9B14746F150827FC03E21D3D56C5D4882AD

Function 00471204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00471276
WSAGetLastError.WSOCK32 ref: 00471283
bind.WSOCK32(00000000,?,00000010), ref: 004712BA
WSAGetLastError.WSOCK32 ref: 004712C5
closesocket.WSOCK32(00000000), ref: 004712F4
listen.WSOCK32(00000000,00000005), ref: 00471303
WSAGetLastError.WSOCK32 ref: 0047130D
closesocket.WSOCK32(00000000), ref: 0047133C

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ede64d9b52b68932799c62977b819e9ccff8421f6e6efefeac6eef0e356a10ec
Instruction ID: 08511185c3c24f917a5c46d1d8d21d171e02cd84c3081258841127ac7bce5a57
Opcode Fuzzy Hash: ede64d9b52b68932799c62977b819e9ccff8421f6e6efefeac6eef0e356a10ec
Instruction Fuzzy Hash: 6D417F316001009FD710EF68C488B6ABBE5AF46318F18C599D95A9F3A3C775ED81CBA5

Function 0042B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042B9D4
_free.LIBCMT ref: 0042B9F8
_free.LIBCMT ref: 0042BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00493700), ref: 0042BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0042BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004C1270,000000FF,?,0000003F,00000000,?), ref: 0042BC36
_free.LIBCMT ref: 0042BD4B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 473204ac7f15dd0dd1637e2277fbda76a98e3a7f898ccbb92daf3d806106cfb0
Instruction ID: 3f6e6b92a7881fe1a82779962908de6945eaf78dcd7ade399a6637891a3d3af4
Opcode Fuzzy Hash: 473204ac7f15dd0dd1637e2277fbda76a98e3a7f898ccbb92daf3d806106cfb0
Instruction Fuzzy Hash: 56C12975B04225AFCB10DF69AC41BAA7BB8EF46310F9441AFE890D7352D7389D4187D8

Function 0045D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003F3A97,?,?,003F2E7F,?,?,?,00000000), ref: 003F3AC2

Part of subcall function 0045E199: GetFileAttributesW.KERNEL32(?,0045CF95), ref: 0045E19A

FindFirstFileW.KERNEL32(?,?), ref: 0045D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0045D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0045D481
FindClose.KERNEL32(00000000), ref: 0045D498
FindClose.KERNEL32(00000000), ref: 0045D4A1

Strings

\*.*, xrefs: 0045D3F2

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 66c6e72b62eaf4dc01903a922283a0c0b9ab42ce4a1717544b902526767f8653
Instruction ID: 6bcb26ea9e01d77ca04ac6416d81e0e7f8349eb86078c3c1d2d15145ad5e39f4
Opcode Fuzzy Hash: 66c6e72b62eaf4dc01903a922283a0c0b9ab42ce4a1717544b902526767f8653
Instruction Fuzzy Hash: 7C31A4714083499BC311EF64C8919BF77E8AE92301F404E2EF9D557192EB34AA0DC767

Function 0042E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0042E645

Strings

1#QNAN, xrefs: 0042F84B
1#IND, xrefs: 0042F83D
1#SNAN, xrefs: 0042F844
1#INF, xrefs: 0042F852

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 57f09f53f8d37f6f4c4c0f0068f32b774f68dfa9ef51e231f5d5adf96f5f8d3b
Instruction ID: 9f98ecc8430bec910c7e4ddca0fe9472fc3c710ba4f0e1d05ef24a4c1c44b0f2
Opcode Fuzzy Hash: 57f09f53f8d37f6f4c4c0f0068f32b774f68dfa9ef51e231f5d5adf96f5f8d3b
Instruction Fuzzy Hash: 9AC25B71E046288FDB25CE29ED407EAB7B5EB49304F9441EBD80DE7241E778AE858F44

Function 0046648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004664DC
CoInitialize.OLE32(00000000), ref: 00466639
CoCreateInstance.OLE32(0048FCF8,00000000,00000001,0048FB68,?), ref: 00466650
CoUninitialize.OLE32 ref: 004668D4

Strings

.lnk, xrefs: 004664BA, 00466524, 004665E0

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 0f634a148a2f86ebbef46cdd035cf96e43b4cb37b875b9cd21bfe8c884d0188e
Instruction ID: 544f2e9c5ba4d62641fb1384c23f6a27287910d558277ae8ff04f6961c76a7db
Opcode Fuzzy Hash: 0f634a148a2f86ebbef46cdd035cf96e43b4cb37b875b9cd21bfe8c884d0188e
Instruction Fuzzy Hash: CFD13B71508305AFC315EF24C881A6BB7E8FF94704F10496EF5968B291EB70ED09CB96

Function 004722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004722E8

Part of subcall function 0046E4EC: GetWindowRect.USER32(?,?), ref: 0046E504

GetDesktopWindow.USER32 ref: 00472312
GetWindowRect.USER32(00000000), ref: 00472319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00472355
GetCursorPos.USER32(?), ref: 00472381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004723DF

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d930e5ebabfe6f81e6c3f276db9466b5ba2dd3f55f7327bde70931a7da8b89c6
Instruction ID: 4ebbe1750ddf0d327e488d734bfbf524c847558f4c8d117f375eb37fdfc70295
Opcode Fuzzy Hash: d930e5ebabfe6f81e6c3f276db9466b5ba2dd3f55f7327bde70931a7da8b89c6
Instruction Fuzzy Hash: 7D31F272104315AFC720DF25D844B9BB7E9FF84314F00492EF88897281DB78EA08CB96

Function 00469B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00469B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00469C8B

Part of subcall function 00463874: GetInputState.USER32 ref: 004638CB
Part of subcall function 00463874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00463966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00469BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00469C75

Strings

*.*, xrefs: 00469B5D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 8a0b67bbeb132cd8e9979c09b011ffa947255f71ed46c23db5128e03076b4e77
Instruction ID: 605820135f6e4bb26281a564a982cc7f3169087bf829ca9f425a8473167c9def
Opcode Fuzzy Hash: 8a0b67bbeb132cd8e9979c09b011ffa947255f71ed46c23db5128e03076b4e77
Instruction Fuzzy Hash: 6B417F7190420A9FDF15DF64C989AEE7BF8EF05310F20405BE805A6291EB749E84CF6A

Function 0040997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00409A4E
GetSysColor.USER32(0000000F), ref: 00409B23
SetBkColor.GDI32(?,00000000), ref: 00409B36

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 255f11b65ea05ff0ccb40c060c0824838551a0905ea3f90e13c05c86a674f6eb
Instruction ID: fe04ec96ec62c6ec10359c0861c373e3e924334048731d7f3ab06f440e2ecc91
Opcode Fuzzy Hash: 255f11b65ea05ff0ccb40c060c0824838551a0905ea3f90e13c05c86a674f6eb
Instruction Fuzzy Hash: ECA1E670209484BAF624AA298C88E7F365DDB86354B15412FF502E67D3CB3DAD03D67E

Function 00471806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0047304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0047307A
Part of subcall function 0047304E: _wcslen.LIBCMT ref: 0047309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0047185D
WSAGetLastError.WSOCK32 ref: 00471884
bind.WSOCK32(00000000,?,00000010), ref: 004718DB
WSAGetLastError.WSOCK32 ref: 004718E6
closesocket.WSOCK32(00000000), ref: 00471915

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 4a76c07dee760ba808fb0e6bb1512822a1ea7de1044e92f4c6c24762e0839ca0
Instruction ID: 2b66ff318420502d6065df80f90cefed1c7187256b00712b770aa750e8223089
Opcode Fuzzy Hash: 4a76c07dee760ba808fb0e6bb1512822a1ea7de1044e92f4c6c24762e0839ca0
Instruction Fuzzy Hash: 7251B271A00204AFDB11AF24C886F7AB7E5AB45718F04845DFA096F3D3C775AD41CBA5

Function 00481C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00481CC0
IsWindowEnabled.USER32 ref: 00481CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00481CDB
IsIconic.USER32 ref: 00481CE9
IsZoomed.USER32 ref: 00481CF7

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 900c062bcc5e8509a59a1a6571f97f33f3ab38511c197113e6cf9c3b090eeafa
Instruction ID: cb59bca5fa3370ec20a06173ddb98f7430e66aee87a01861c9bfe6da02e3ceee
Opcode Fuzzy Hash: 900c062bcc5e8509a59a1a6571f97f33f3ab38511c197113e6cf9c3b090eeafa
Instruction Fuzzy Hash: AF21B4317402115FD721AF1AD884B2F7BE9AF95314B18886EE8468B361C775EC43CB98

Function 003F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 003F843C
ERCP, xrefs: 003F813C
VUUU, xrefs: 00435DF0
VUUU, xrefs: 003F83FA
VUUU, xrefs: 003F83E8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 302623c617b9e85ab75d08a724f8ebebefb1456bd98590e8becfc5fa74e050d5
Instruction ID: 59be4759370dc74c725c7f11e24838bcf50dbe6cbddb6555d6b33b418d5d2621
Opcode Fuzzy Hash: 302623c617b9e85ab75d08a724f8ebebefb1456bd98590e8becfc5fa74e050d5
Instruction Fuzzy Hash: 70A28D70A0061ACBDF29CF58C8407BEB7B1BF58314F2585AAD915AB385DB389D81CF94

Function 00458298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004582AA

Strings

|, xrefs: 004582DA
tbK, xrefs: 004584F4
(, xrefs: 004582F0

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbK$|
API String ID: 1659193697-3035244722
Opcode ID: c723dcd302222c3806dbae2cccdccd9e8faf5591fe928e87447d5df4bc93a72a
Instruction ID: a749ba32bf1c48e4820b0c0c85f79d3dda02e75221c8cfa9d47329a3178a22ca
Opcode Fuzzy Hash: c723dcd302222c3806dbae2cccdccd9e8faf5591fe928e87447d5df4bc93a72a
Instruction Fuzzy Hash: 0E323775A00605DFCB28CF19C48196AB7F0FF48710B15C46EE89AEB7A2EB74E941CB44

Function 0045AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0045AAAC
SetKeyboardState.USER32(00000080), ref: 0045AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0045AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0045AB88

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 70749057ce740205606b89895c35752b268609b9ac83b77a0d3a5f811afb8811
Instruction ID: 5c52e394d77e22c0e1a1972649df64fffb4e2e483fb32a6108cccae0d2bed7d0
Opcode Fuzzy Hash: 70749057ce740205606b89895c35752b268609b9ac83b77a0d3a5f811afb8811
Instruction Fuzzy Hash: 58310C30A40204AEEB35CA658C05BFF77A6AB44312F04431BFA81562D2D37D9969C7EB

Function 0046CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0046CE89
GetLastError.KERNEL32(?,00000000), ref: 0046CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0046CEFE

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: d36118a6de63b8d520e21f09d2d8292e317fdb617fbac2b39557cf70651f1d74
Instruction ID: 6fd69dbb596f1f976382928fde943bb4333567920b32ea4666cac933a7999b1c
Opcode Fuzzy Hash: d36118a6de63b8d520e21f09d2d8292e317fdb617fbac2b39557cf70651f1d74
Instruction Fuzzy Hash: E821B2719003059BD720DF65C984BAB77FCEB10314F10482FE686D2291E779ED45CB69

Function 00465C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00465CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00465D17
FindClose.KERNEL32(?), ref: 00465D5F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: bb0b33337a1470abadff0bac4c5985594f71179ac88a4a1a6cc464ff9da0bb17
Instruction ID: 67f08c57896b3a10a4cb1ca082b00584dc7fd6c3dc782bd81a6779e754492ed5
Opcode Fuzzy Hash: bb0b33337a1470abadff0bac4c5985594f71179ac88a4a1a6cc464ff9da0bb17
Instruction Fuzzy Hash: B751AA34604A019FC714DF28C494A9AB7E4FF49314F14855EE95A8B3A2DB34EC45CF96

Function 00422622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0042271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00422724
UnhandledExceptionFilter.KERNEL32(?), ref: 00422731

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0d304f03596e4d5eb0b7a0a34993804052941f3421d234722ad39ed024f0e480
Instruction ID: a219e0aa2b12b8eff35b4e9a5af7fad123db0344c0a59a8cfae10b5d186c1ea6
Opcode Fuzzy Hash: 0d304f03596e4d5eb0b7a0a34993804052941f3421d234722ad39ed024f0e480
Instruction Fuzzy Hash: B931D57490122CABCB21DF65DD887DDB7B8AF08310F5041EAE81CA7260E7749F818F48

Function 004651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00465238
SetErrorMode.KERNEL32(00000000), ref: 004652A1

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 65e26a30c835de6280913aca387dbe72f1be27685affd2438c9dab49288f6ce7
Instruction ID: 0c60eb07c959b8bb812f03c6380b55dee195be3a269290e41cfac98c7708905e
Opcode Fuzzy Hash: 65e26a30c835de6280913aca387dbe72f1be27685affd2438c9dab49288f6ce7
Instruction Fuzzy Hash: B9317C35A00608DFDB00DF54D8C4EAEBBB4FF08314F048099E905AB3A2DB35E846CBA5

Function 004516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0040FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00410668
Part of subcall function 0040FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00410685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0045173A
GetLastError.KERNEL32 ref: 0045174A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: be69c6b0d1d70917ff5fd412fb0695c27984e72286d07863bf246373107d776a
Instruction ID: 4e3e112dad5569d58963b8b6194e21b65dec5edb4a65ef0a4a1e6011dd9a7cf5
Opcode Fuzzy Hash: be69c6b0d1d70917ff5fd412fb0695c27984e72286d07863bf246373107d776a
Instruction Fuzzy Hash: F111EFB2400204AFD7289F68ECC6E6FB7B9EF44715B20843FE45652291EB74BC458B68

Function 0045D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0045D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0045D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0045D650

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b5368b7af9eec359d5c1aca2cf5a200254bd02e3db8d405cc8d4af58dcdc8c46
Instruction ID: dda51014a2934f11b5369cfc33c8ed6cda2a95b3ce8a91c234a9fdf8444eb139
Opcode Fuzzy Hash: b5368b7af9eec359d5c1aca2cf5a200254bd02e3db8d405cc8d4af58dcdc8c46
Instruction Fuzzy Hash: AA117C71E01228BBDB208F949C84FAFBBBCEB45B50F108126F904E7290C2704A05CBA5

Function 00451663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0045168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004516A1
FreeSid.ADVAPI32(?), ref: 004516B1

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: dbde4c0c343be2ce7c4a84ef4441a9086e54854892bf035656b246b95745d3ea
Instruction ID: f748b6454c4edb8ccf528cd1b0b120cdca00f2cc78586caea6f348348ebef68e
Opcode Fuzzy Hash: dbde4c0c343be2ce7c4a84ef4441a9086e54854892bf035656b246b95745d3ea
Instruction Fuzzy Hash: 37F04471940308FBDB00CFE09C89EAEBBBCEB08240F104865E900E2181E334AA048B64

Function 0042C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0042C36C

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a38b39c88310b1755a4d7c912ee2c04636b33b355f35a7c5b2bcb7aec467ecff
Instruction ID: 02f359d86d4a1b39e9d70f5f6b990dd57fb1620692e00f01314996b7a175450f
Opcode Fuzzy Hash: a38b39c88310b1755a4d7c912ee2c04636b33b355f35a7c5b2bcb7aec467ecff
Instruction Fuzzy Hash: AF413D71A00228ABCB20DFB9DC88EAF7778EB84354F5045AEF905C7280E6749D418B58

Function 0044D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0044D28C

Strings

X64, xrefs: 0044D2A8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2f6696e813440278c15d3f7aed77439501eb84c5c84b623e299cddd2f0e9b942
Instruction ID: 84a25008eb27f6c5df07bc9252893a5e93eb98e6da9c457274aaed0503d3737b
Opcode Fuzzy Hash: 2f6696e813440278c15d3f7aed77439501eb84c5c84b623e299cddd2f0e9b942
Instruction Fuzzy Hash: 65D0C9B480111DEBCB90CBD0DCC8DDDB37CBB04345F1005A6F106A2140D77495498F24

Function 0041CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c3c46fca687729c422bfa7242ffd74ed80dd7b6f335d34bf52ac463b181fce00
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: D4022C71E402199BDF14CFA9D9806EEFBF1EF48314F25816AD819E7384D734AE418B88

Function 003FCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00440C40
p#L, xrefs: 003FCF7F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#L
API String ID: 0-783923862
Opcode ID: 90ba077a56e35e0f57816be9891694af4fbb2596477faf69f484385f29600efc
Instruction ID: 2bece344a6e175e998d5b8adc878964ff5bd3a191a3795c9c3fc1081dbd9cb7b
Opcode Fuzzy Hash: 90ba077a56e35e0f57816be9891694af4fbb2596477faf69f484385f29600efc
Instruction Fuzzy Hash: F932AF7095021CDBDF15DF90CA81BFEB7B9BF04304F20406AEA06AB292D779AD46CB54

Function 004668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00466918
FindClose.KERNEL32(00000000), ref: 00466961

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 76faa1631f5fe8667c6b7db0af5ea6dce4e8877addd7223e5774c096c5d2bcd6
Instruction ID: 30d7fa737e54a4703d95f08e5b94e6d3c406f1b03438e1b1e3bb3f9a560de71a
Opcode Fuzzy Hash: 76faa1631f5fe8667c6b7db0af5ea6dce4e8877addd7223e5774c096c5d2bcd6
Instruction Fuzzy Hash: E111D3716042059FC710DF29C484A26BBE5FF85328F05C6ADE8698F3A2D734EC05CB91

Function 004637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00474891,?,?,00000035,?), ref: 004637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00474891,?,?,00000035,?), ref: 004637F4

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: da90a520f9ad74ecba31047497c0e5e6b3781f7a5234f9b54350d404dad9b6fe
Instruction ID: 54fb8357f0f558eb79377d696b2ff75b333a5f76d995c86e815e646f9e5fbd00
Opcode Fuzzy Hash: da90a520f9ad74ecba31047497c0e5e6b3781f7a5234f9b54350d404dad9b6fe
Instruction Fuzzy Hash: 53F0E5B06042282AE7201B769C8DFEB7AAEEFC4762F00017AF509D2291D9709904C7B9

Function 0045B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0045B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0045B270

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 733505f948a6ef6ab4d61ae09ab7081b24a8e0d2247fecdc57a7190df3f9d496
Instruction ID: eea58bebce05c6b7f0b544c5c95dafef81a446692f75237191dd1cea8f35761c
Opcode Fuzzy Hash: 733505f948a6ef6ab4d61ae09ab7081b24a8e0d2247fecdc57a7190df3f9d496
Instruction Fuzzy Hash: BDF01D7180424EABDF059FA0C805BAE7BB4FF04305F00845AFD55A5192C7798615DFA8

Function 004510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004511FC), ref: 004510D4
CloseHandle.KERNEL32(?,?,004511FC), ref: 004510E9

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ae47f610f273932da0a9e6bad947e44103fdc79e7d4199aa89a93baa65744983
Instruction ID: a305cfd632bad06d6e2a4eb0c320cef69d77cbacad0e281f3a47fd41ffa974cc
Opcode Fuzzy Hash: ae47f610f273932da0a9e6bad947e44103fdc79e7d4199aa89a93baa65744983
Instruction Fuzzy Hash: D1E04F32014600AEE7252B61FC05E7777A9EF04310B20883EF8A6808F1DB72AC90DB68

Function 0042676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00426766,?,?,00000008,?,?,0042FEFE,00000000), ref: 00426998

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0f6f8cf373c19db0cafb6da353ac90a78e8c77fcbebe12856703fcf8b749d963
Instruction ID: 746b2d5111b98ae883941f8475ca6b1203ad81cda077d2f194318e45adae05e2
Opcode Fuzzy Hash: 0f6f8cf373c19db0cafb6da353ac90a78e8c77fcbebe12856703fcf8b749d963
Instruction Fuzzy Hash: C2B1AD71610618CFD718CF28D486B657BE0FF05364F668699E899CF3A2C739E982CB44

Function 0040B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0044851F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ec12253f35108dfc8b7c36dbbf81e4fc54848952f7b9b31622f4923994ca1e3b
Instruction ID: 6900085956b6b060cf910e56fecef7413762fdd863792c1117bd9e11243611df
Opcode Fuzzy Hash: ec12253f35108dfc8b7c36dbbf81e4fc54848952f7b9b31622f4923994ca1e3b
Instruction Fuzzy Hash: F61242719002199BDB14CF58C8806EEB7F5FF48710F1481ABE849EB295DB789E81CF99

Function 0046EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0046EABD

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 67f65f8e4f2ae6092181d0ab90d5e86b7032dab5ea70b23324de38f68d0d799f
Instruction ID: f7448c00f591368967fa317901a400fa501513d41d87bca657aa42b758c0b722
Opcode Fuzzy Hash: 67f65f8e4f2ae6092181d0ab90d5e86b7032dab5ea70b23324de38f68d0d799f
Instruction Fuzzy Hash: C9E04F352102089FC710EF9AD844E9AF7E9AF98760F00842AFD49DB351EB74E8418BA5

Function 004109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004103EE), ref: 004109DA

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2829c6c2da43ce3b0c37f184dce7867ac60f53a594c3e9ab2dc7e71e26d4a827
Instruction ID: d0e709aa8d2f641bdb2537f7696b844225fea61a054d38b9bca8d8a97f40bdcd
Opcode Fuzzy Hash: 2829c6c2da43ce3b0c37f184dce7867ac60f53a594c3e9ab2dc7e71e26d4a827
Instruction Fuzzy Hash:

Function 0041781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0041798B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: af2484a871b91ec5c9b2172b16a3bac44c10e883e7efb707e17a36b6b99b472e
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 01516AB165C60557EB38666988997FF27B59B02344F18090FE882C7382C61DDECAD35E

Function 00462046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&L, xrefs: 00462053

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: 0&L
API String ID: 0-1738453533
Opcode ID: c9763597a9d4fab0522711f4ab896f7c80205ee2265d7e1f6598d4d697b82976
Instruction ID: 163846ebe3c7294f2d0536d1a4df63b8126fd7abb813d6662081484aa4982b7c
Opcode Fuzzy Hash: c9763597a9d4fab0522711f4ab896f7c80205ee2265d7e1f6598d4d697b82976
Instruction Fuzzy Hash: 5221E7323206158BD728CF79C92367E73E5A754310F14862EE4A7C33D0DEB9A904CB94

Function 00426DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d665869f12da928c5a48bb69c834377d7ea66cc8a8204ba29c3fd44c0db6c8b4
Instruction ID: f65c9a0f7c73471ed7c427717fcf50ea9a24a6d4aada53c796c0f181cf5fa4a6
Opcode Fuzzy Hash: d665869f12da928c5a48bb69c834377d7ea66cc8a8204ba29c3fd44c0db6c8b4
Instruction Fuzzy Hash: B9324521E29F114DDB239634ED62336A249AFB73C5F55C737E81AB5EA5EB28C4C34108

Function 0040CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5facdbc1b4d5ea5e33aa7b16c278d43fc266560ff58b3fb69aac2364d90916f2
Instruction ID: 6488bcc90f676bb7a18e3b6c882739e2df68c0c7f5433acf38fc374131aafc9c
Opcode Fuzzy Hash: 5facdbc1b4d5ea5e33aa7b16c278d43fc266560ff58b3fb69aac2364d90916f2
Instruction Fuzzy Hash: C9320131A051458BFF68CF29C4D067E77A1EB45304F2C863BD44AAB392D63C9D82DB49

Function 003F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ff660e0d266f46bf905bbfe0355caf745368a2fc216659d36f31a75b6b5909
Instruction ID: 36c2fe1ccc01e745cd47552d766217a6de674235299278c137e258a6ac812a49
Opcode Fuzzy Hash: d2ff660e0d266f46bf905bbfe0355caf745368a2fc216659d36f31a75b6b5909
Instruction Fuzzy Hash: 4222B170A04609DFDF14CFA5C941ABEB7F6FF48300F10452AE816AB291EB39AD55CB54

Function 003F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0e4a8c3a7a7665e017cfe56403782aec6f921fded6b4a51e08b06b8d0832e3
Instruction ID: 495c5d09cdbe17819c077e14559fa4df16211b11b08d34a410291882e56bb63d
Opcode Fuzzy Hash: 9f0e4a8c3a7a7665e017cfe56403782aec6f921fded6b4a51e08b06b8d0832e3
Instruction Fuzzy Hash: B902D6B0A00209EBCB05DF55D881BAEB7B5FF48304F10816AE9069B3D1EB35AE55CB85

Function 00429EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe59bbd8e322546dd73fe0f3edc438bc7ea771be5f87fa3c897884a040b7160b
Instruction ID: 8d1fc96e3d0cf6e4f5697250c97a2950add2a1f41efeb71dbbd83f932b8124dd
Opcode Fuzzy Hash: fe59bbd8e322546dd73fe0f3edc438bc7ea771be5f87fa3c897884a040b7160b
Instruction Fuzzy Hash: D5B11420E6AF505DD3239A398835336B65CAFBB6D6F91D32BFC1674D22EB2185834144

Function 00417A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708adbb178def6a08fb8acde08d0c93beda3b0232d291d05bf057c0d135bd854
Instruction ID: 02b8e5ec8e78c6a6b509e210014179d19901169035aee529bca9ca2f40c088ba
Opcode Fuzzy Hash: 708adbb178def6a08fb8acde08d0c93beda3b0232d291d05bf057c0d135bd854
Instruction Fuzzy Hash: 5561477124C70956DA349A288895BFF33B4DF41788F24091FE846DB382DB1DAEC2835E

Function 00417CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342f8178a018657f773b98767da9b9097f1148eed2cf43963c418bbb4e52263f
Instruction ID: 78a2d8f6006ff2ec2fdd3592ef489464d0184cd4ea8cd28f93358a8e4dff718f
Opcode Fuzzy Hash: 342f8178a018657f773b98767da9b9097f1148eed2cf43963c418bbb4e52263f
Instruction Fuzzy Hash: A861467120C70D66DA384A28A895BFF23F59F42748F10095FE942DB381DA1EADC2825E

Function 00443CD2 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22b57c88e4e5f9c02036540c344223549d64365ecad51204bf9b24cbbcef656
Instruction ID: 4adeeeb875ce0d4ad19c6b140ff4379e30a4fb8d7c27c710906cae6d62e97358
Opcode Fuzzy Hash: a22b57c88e4e5f9c02036540c344223549d64365ecad51204bf9b24cbbcef656
Instruction Fuzzy Hash: 567128B49083C19FE766CF2080D9966BFE0EF12715B2A84FFC9864B193D634D946C70A

Function 00472ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00472B30
DeleteObject.GDI32(00000000), ref: 00472B43
DestroyWindow.USER32 ref: 00472B52
GetDesktopWindow.USER32 ref: 00472B6D
GetWindowRect.USER32(00000000), ref: 00472B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00472CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00472CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472CF8
GetClientRect.USER32(00000000,?), ref: 00472D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00472D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472D80
GlobalLock.KERNEL32(00000000), ref: 00472D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472D98
GlobalUnlock.KERNEL32(00000000), ref: 00472DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472DA8
GlobalFree.KERNEL32(00000000), ref: 00472DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0048FC38,00000000), ref: 00472DDB
GlobalFree.KERNEL32(00000000), ref: 00472DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00472E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00472E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00472E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0047303F

Strings

, xrefs: 00472FC5
AutoIt v3, xrefs: 00472CF2
DISPLAY, xrefs: 00472EA2
static, xrefs: 00472D3A, 00472E91

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 866e2dd8e753ee3c633b67e23ea39956605f66ccddabe7c6e1700586462cd6ba
Instruction ID: 6f81a7561ef25761cb647595b8a919e013b4f7785f940648496f3455bb50c0f3
Opcode Fuzzy Hash: 866e2dd8e753ee3c633b67e23ea39956605f66ccddabe7c6e1700586462cd6ba
Instruction Fuzzy Hash: F1028C71900209AFDB14DF64CD89EAE7BB9EF49310F008569F919AB2A1D778ED01CF64

Function 004870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0048712F
GetSysColorBrush.USER32(0000000F), ref: 00487160
GetSysColor.USER32(0000000F), ref: 0048716C
SetBkColor.GDI32(?,000000FF), ref: 00487186
SelectObject.GDI32(?,?), ref: 00487195
InflateRect.USER32(?,000000FF,000000FF), ref: 004871C0
GetSysColor.USER32(00000010), ref: 004871C8
CreateSolidBrush.GDI32(00000000), ref: 004871CF
FrameRect.USER32(?,?,00000000), ref: 004871DE
DeleteObject.GDI32(00000000), ref: 004871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00487230
FillRect.USER32(?,?,?), ref: 00487262
GetWindowLongW.USER32(?,000000F0), ref: 00487284

Part of subcall function 004873E8: GetSysColor.USER32(00000012), ref: 00487421
Part of subcall function 004873E8: SetTextColor.GDI32(?,?), ref: 00487425
Part of subcall function 004873E8: GetSysColorBrush.USER32(0000000F), ref: 0048743B
Part of subcall function 004873E8: GetSysColor.USER32(0000000F), ref: 00487446
Part of subcall function 004873E8: GetSysColor.USER32(00000011), ref: 00487463
Part of subcall function 004873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00487471
Part of subcall function 004873E8: SelectObject.GDI32(?,00000000), ref: 00487482
Part of subcall function 004873E8: SetBkColor.GDI32(?,00000000), ref: 0048748B
Part of subcall function 004873E8: SelectObject.GDI32(?,?), ref: 00487498
Part of subcall function 004873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004874B7
Part of subcall function 004873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004874CE
Part of subcall function 004873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004874DB

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6da4c82725b779ba7e11b2106da06983a31cb6760967c4e594d1926efe6974a1
Instruction ID: 4db8d1974e26953b0362920e91dc8d463998d63b1df0dab4d4ce1c83034535af
Opcode Fuzzy Hash: 6da4c82725b779ba7e11b2106da06983a31cb6760967c4e594d1926efe6974a1
Instruction Fuzzy Hash: 61A19372008311BFDB10AF64DC88A5F7BA9FB49320F100E2DF962961E1D775D945CB66

Function 00472711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0047273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00472900
GetClientRect.USER32(00000000,?), ref: 0047290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00472955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00472964
GetStockObject.GDI32(00000011), ref: 00472974
SelectObject.GDI32(00000000,00000000), ref: 00472978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00472988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00472991
DeleteDC.GDI32(00000000), ref: 0047299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00472A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00472A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00472A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00472A77
GetStockObject.GDI32(00000011), ref: 00472A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00472A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00472A97

Strings

msctls_progress32, xrefs: 00472A13
AutoIt v3, xrefs: 004728F8
DISPLAY, xrefs: 0047295A
static, xrefs: 0047294F, 00472A71

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c237629a10aa0cac6875291068ee474f356d9d916eaa31520df21e861db4c87f
Instruction ID: 3c78963f6ef73bf949395c8a4c94b4923fe62d3c00a52e7ff2c28969f7795044
Opcode Fuzzy Hash: c237629a10aa0cac6875291068ee474f356d9d916eaa31520df21e861db4c87f
Instruction Fuzzy Hash: FBB17171A00219AFEB14DF68CD85FAE7BB9EB05714F008519FA15EB2A1D774ED00CBA4

Function 00464ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00464AED
GetDriveTypeW.KERNEL32(?,0048CB68,?,\\.\,0048CC08), ref: 00464BCA
SetErrorMode.KERNEL32(00000000,0048CB68,?,\\.\,0048CC08), ref: 00464D36

Strings

FileBackedVirtual, xrefs: 00464CEC
CDROM, xrefs: 00464BFB
SSA, xrefs: 00464CA6
USB, xrefs: 00464CB4
MMC, xrefs: 00464CDE
Fixed, xrefs: 00464C09
RAMDisk, xrefs: 00464BF4
Virtual, xrefs: 00464CE5
Network, xrefs: 00464C02
iSCSI, xrefs: 00464CC2
ATA, xrefs: 00464C98
Removable, xrefs: 00464C10, 00464C15
PhysicalDrive, xrefs: 00464B76
Unknown, xrefs: 00464BED, 00464C83
SAS, xrefs: 00464CC9
SATA, xrefs: 00464CD0
SSD, xrefs: 00464C4A
SCSI, xrefs: 00464C8A
\\.\, xrefs: 00464B3F
Fibre, xrefs: 00464CAD
1394, xrefs: 00464C9F
RAID, xrefs: 00464CBB
ATAPI, xrefs: 00464C91

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 970a3c133aba86f182b7004bd50c2232678a4373b0939663efa08ccf9e194ff9
Instruction ID: d49ee9f95d53a8e2f440c812ae9e275aa302d57f6f69503e27375d3ec739bda2
Opcode Fuzzy Hash: 970a3c133aba86f182b7004bd50c2232678a4373b0939663efa08ccf9e194ff9
Instruction Fuzzy Hash: 8A61B4706011059BCF04DF18C981ABD7BA4AF84744B268417F906AB791EB3DED42DB6F

Function 004873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00487421
SetTextColor.GDI32(?,?), ref: 00487425
GetSysColorBrush.USER32(0000000F), ref: 0048743B
GetSysColor.USER32(0000000F), ref: 00487446
CreateSolidBrush.GDI32(?), ref: 0048744B
GetSysColor.USER32(00000011), ref: 00487463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00487471
SelectObject.GDI32(?,00000000), ref: 00487482
SetBkColor.GDI32(?,00000000), ref: 0048748B
SelectObject.GDI32(?,?), ref: 00487498
InflateRect.USER32(?,000000FF,000000FF), ref: 004874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00487554
InflateRect.USER32(?,000000FD,000000FD), ref: 00487572
DrawFocusRect.USER32(?,?), ref: 0048757D
GetSysColor.USER32(00000011), ref: 0048758E
SetTextColor.GDI32(?,00000000), ref: 00487596
DrawTextW.USER32(?,004870F5,000000FF,?,00000000), ref: 004875A8
SelectObject.GDI32(?,?), ref: 004875BF
DeleteObject.GDI32(?), ref: 004875CA
SelectObject.GDI32(?,?), ref: 004875D0
DeleteObject.GDI32(?), ref: 004875D5
SetTextColor.GDI32(?,?), ref: 004875DB
SetBkColor.GDI32(?,?), ref: 004875E5

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 45b2029a6a3e965723d52d77952c192b10f3a1adc8384dc09652753eeed93fb1
Instruction ID: 91834c63deecba1c28efbcf2012d82d1cff2ceb27d464145bb39742f0729ccd5
Opcode Fuzzy Hash: 45b2029a6a3e965723d52d77952c192b10f3a1adc8384dc09652753eeed93fb1
Instruction Fuzzy Hash: E4616271900218BFDF019FA4DC89E9E7F79EB08720F214926F915B72A1D7749940DFA4

Function 00480FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00481128
GetDesktopWindow.USER32 ref: 0048113D
GetWindowRect.USER32(00000000), ref: 00481144
GetWindowLongW.USER32(?,000000F0), ref: 00481199
DestroyWindow.USER32(?), ref: 004811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00481232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00481245
IsWindowVisible.USER32(00000000), ref: 004812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004812D0
GetWindowRect.USER32(00000000,?), ref: 004812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0048130E
GetMonitorInfoW.USER32(00000000,?), ref: 00481328
CopyRect.USER32(?,?), ref: 0048133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004813AA

Strings

0, xrefs: 004810D3
(, xrefs: 0048131B
tooltips_class32, xrefs: 004811E6

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 12ac5bf56569f90a352054741e58e76d93b533239eaa7f125d54f4d868906ecc
Instruction ID: 242c7cc1ddb4cb030afc4e5475ec2bf45860f46c87befa9398436a209498ba4f
Opcode Fuzzy Hash: 12ac5bf56569f90a352054741e58e76d93b533239eaa7f125d54f4d868906ecc
Instruction Fuzzy Hash: F6B15A71604341AFD700EF64C884B6FBBE8EF89350F00891EF999AB261D775E845CBA5

Function 00480241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004802E5
_wcslen.LIBCMT ref: 0048031F
_wcslen.LIBCMT ref: 00480389
_wcslen.LIBCMT ref: 004803F1
_wcslen.LIBCMT ref: 00480475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004804C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00480504

Part of subcall function 0040F9F2: _wcslen.LIBCMT ref: 0040F9FD

Part of subcall function 0045223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00452258
Part of subcall function 0045223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0045228A

Strings

GETSELECTEDCOUNT, xrefs: 00480470, 0048048B
GETSELECTED, xrefs: 004805E1
VIEWCHANGE, xrefs: 00480675
ISSELECTED, xrefs: 004804DD
SELECTALL, xrefs: 00480515
SELECTINVERT, xrefs: 0048057E
DESELECT, xrefs: 0048059C
SELECT, xrefs: 00480548
GETSUBITEMCOUNT, xrefs: 00480384, 0048039F
FINDITEM, xrefs: 00480627
GETITEMCOUNT, xrefs: 00480316, 00480337
SELECTCLEAR, xrefs: 0048052D
GETTEXT, xrefs: 004803EC, 00480407

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 729e51699a61ffa8fa000ab6f9cb14f1e6deca7ad7e52268d0484fcaab03dfb2
Instruction ID: 9ced06c6722300d08bf71e6cd293c10eeb13b2a361724dfe8a2f3abda420b7d8
Opcode Fuzzy Hash: 729e51699a61ffa8fa000ab6f9cb14f1e6deca7ad7e52268d0484fcaab03dfb2
Instruction Fuzzy Hash: 45E1CF312282019BC754EF24C55083FB3E2BFC8718B14496EF896AB3A1D738ED49CB56

Function 00408891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00408968
GetSystemMetrics.USER32(00000007), ref: 00408970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0040899B
GetSystemMetrics.USER32(00000008), ref: 004089A3
GetSystemMetrics.USER32(00000004), ref: 004089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00408A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00408A3C
GetClientRect.USER32(00000000,000000FF), ref: 00408A5A
GetStockObject.GDI32(00000011), ref: 00408A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00408A81

Part of subcall function 0040912D: GetCursorPos.USER32(?), ref: 00409141
Part of subcall function 0040912D: ScreenToClient.USER32(00000000,?), ref: 0040915E
Part of subcall function 0040912D: GetAsyncKeyState.USER32(00000001), ref: 00409183
Part of subcall function 0040912D: GetAsyncKeyState.USER32(00000002), ref: 0040919D

SetTimer.USER32(00000000,00000000,00000028,004090FC), ref: 00408AA8

Strings

AutoIt v3 GUI, xrefs: 00408A20

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 033c2a2e0d309e90c53fdc6ed5e2a36a84e4b8172550d34382854e843db8675f
Instruction ID: 61d346ab6a916e92a2445a6d3c66081714fe4aa408db14056f4900a4e2d0d9e0
Opcode Fuzzy Hash: 033c2a2e0d309e90c53fdc6ed5e2a36a84e4b8172550d34382854e843db8675f
Instruction Fuzzy Hash: CDB16E756002099FDF14EF68CD85BAE3BB5BB49314F11412AFA15A72D0DB38E841CF69

Function 00450D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00451114
Part of subcall function 004510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451120
Part of subcall function 004510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 0045112F
Part of subcall function 004510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451136
Part of subcall function 004510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0045114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00450DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00450E29
GetLengthSid.ADVAPI32(?), ref: 00450E40
GetAce.ADVAPI32(?,00000000,?), ref: 00450E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00450E96
GetLengthSid.ADVAPI32(?), ref: 00450EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00450EB5
HeapAlloc.KERNEL32(00000000), ref: 00450EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00450EDD
CopySid.ADVAPI32(00000000), ref: 00450EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00450F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00450F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00450F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450F6E
HeapFree.KERNEL32(00000000), ref: 00450F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450F7E
HeapFree.KERNEL32(00000000), ref: 00450F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00450F8E
HeapFree.KERNEL32(00000000), ref: 00450F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00450FA1
HeapFree.KERNEL32(00000000), ref: 00450FA8

Part of subcall function 00451193: GetProcessHeap.KERNEL32(00000008,00450BB1,?,00000000,?,00450BB1,?), ref: 004511A1
Part of subcall function 00451193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00450BB1,?), ref: 004511A8
Part of subcall function 00451193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00450BB1,?), ref: 004511B7

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 29d8273838632a22e39becefdc94996d0b1a17e89ec8e9cb6dd2dd5a23081db1
Instruction ID: a9c90ce2fa76622eb654c8e7f2d484fa7f1d4e59cbe141a9431c3aa7294885e0
Opcode Fuzzy Hash: 29d8273838632a22e39becefdc94996d0b1a17e89ec8e9cb6dd2dd5a23081db1
Instruction Fuzzy Hash: 4371B176900209ABDF209FA0DC89FAFBBB8BF05301F14452AF914E6252D774D909CB74

Function 0047C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0048CC08,00000000,?,00000000,?,?), ref: 0047C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0047C5A4
_wcslen.LIBCMT ref: 0047C5F4
_wcslen.LIBCMT ref: 0047C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0047C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0047C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0047C84D
RegCloseKey.ADVAPI32(?), ref: 0047C881
RegCloseKey.ADVAPI32(00000000), ref: 0047C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0047C960

Strings

REG_SZ, xrefs: 0047C644
REG_MULTI_SZ, xrefs: 0047C6F5
REG_BINARY, xrefs: 0047C913
REG_EXPAND_SZ, xrefs: 0047C5CD
REG_DWORD, xrefs: 0047C804
REG_QWORD, xrefs: 0047C8C3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 0786dd2efa53d3a7d467f1e926d51ca2de46860d9e9ab09b8a0b99123220ef3a
Instruction ID: 97c50a07fc5cdef53edee673525750b3a63c923f06d3bfff5c53a87d00291f17
Opcode Fuzzy Hash: 0786dd2efa53d3a7d467f1e926d51ca2de46860d9e9ab09b8a0b99123220ef3a
Instruction Fuzzy Hash: 0D128A352042019FC715DF24C881A6AB7E5FF89714F05885EF98A9B3A2DB35FC45CB8A

Function 0048091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004809C6
_wcslen.LIBCMT ref: 00480A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00480A54
_wcslen.LIBCMT ref: 00480A8A
_wcslen.LIBCMT ref: 00480B06
_wcslen.LIBCMT ref: 00480B81

Part of subcall function 0040F9F2: _wcslen.LIBCMT ref: 0040F9FD

Part of subcall function 00452BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00452BFA

Strings

GETTOTALCOUNT, xrefs: 004809F2, 00480A17
SELECT, xrefs: 00480D11
GETSELECTED, xrefs: 00480C4E
EXISTS, xrefs: 00480B7C, 00480B97
EXPAND, xrefs: 00480BF8
CHECK, xrefs: 00480A85, 00480AA0
UNCHECK, xrefs: 00480D3E
GETITEMCOUNT, xrefs: 00480C1E
COLLAPSE, xrefs: 00480B01, 00480B1C
GETTEXT, xrefs: 00480C97
ISCHECKED, xrefs: 00480CE1

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 40e066e7687da88a65f8f897a3505bba67b6168c7b02f05346cf787d0c04dbcc
Instruction ID: 61d9b448b46a2b6aee3db2680cc004e277f8b78fe34c4a0bd7dc98d0e71a11b2
Opcode Fuzzy Hash: 40e066e7687da88a65f8f897a3505bba67b6168c7b02f05346cf787d0c04dbcc
Instruction Fuzzy Hash: 2CE1BF312183018FC754EF25C45096EB7E1BF99318B108D5EF89A9B3A2D738ED49CB99

Function 0047C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
_wcslen.LIBCMT ref: 0047C9F1
_wcslen.LIBCMT ref: 0047CA68
_wcslen.LIBCMT ref: 0047CA9E
_wcslen.LIBCMT ref: 0047CAF9
_wcslen.LIBCMT ref: 0047CB2F
_wcslen.LIBCMT ref: 0047CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0047CA62, 0047CA67
HKEY_CLASSES_ROOT, xrefs: 0047CAF3, 0047CAF8
HKCU, xrefs: 0047CBCE
HKU, xrefs: 0047CBF0
HKCC, xrefs: 0047CBAC
HKCR, xrefs: 0047CB29, 0047CB2E
HKEY_CURRENT_USER, xrefs: 0047CBBD
HKLM, xrefs: 0047CA98, 0047CA9D
HKEY_CURRENT_CONFIG, xrefs: 0047CB79, 0047CB7E
HKEY_USERS, xrefs: 0047CBDF

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: dbd06ef8be981e3cf8c8eb0f2afdbaa0a6eb5ae951d4f4af19646e697c78e885
Instruction ID: caae4f080c3d0fdd5dda2ebc6d117cd949d9e2419ad14b784b9e685741ba7212
Opcode Fuzzy Hash: dbd06ef8be981e3cf8c8eb0f2afdbaa0a6eb5ae951d4f4af19646e697c78e885
Instruction Fuzzy Hash: 1F71D67260012A8BCB20DE78D9816FB33919BA4754B25852FF859A7384EB3DDD45C3A8

Function 0048833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0048835A
_wcslen.LIBCMT ref: 0048836E
_wcslen.LIBCMT ref: 00488391
_wcslen.LIBCMT ref: 004883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00485BF2), ref: 0048844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00488487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00488501
FreeLibrary.KERNEL32(?), ref: 0048850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0048851D
DestroyIcon.USER32(?,?,?,?,?,00485BF2), ref: 0048852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00488549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00488555

Strings

.exe, xrefs: 00488388
.icl, xrefs: 00488368
.dll, xrefs: 004883AB

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 75671be36684c73dd877b3f26cb3f3f7a0b52367f522fa5353c8511fd2b5f849
Instruction ID: d24a7bf4f3b2d461f140946363a9c5e4630f8751b4d3cf0b3206c7ebc7174e9f
Opcode Fuzzy Hash: 75671be36684c73dd877b3f26cb3f3f7a0b52367f522fa5353c8511fd2b5f849
Instruction Fuzzy Hash: 8261E271500219BAEB14EF64CC81BFF77A8BF04B11F50491EF915D61D1EB78A980CBA8

Function 003F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 003F78D9
#notrayicon, xrefs: 003F77E7
#include, xrefs: 003F7847
Bad directive syntax error, xrefs: 0043519A
', xrefs: 00435169
#pragma compile, xrefs: 003F77D3
#ce, xrefs: 003F78ED
#requireadmin, xrefs: 003F77FF
#cs, xrefs: 003F7873, 003F78C5
Cannot parse #include, xrefs: 00435279
", xrefs: 00435153
#comments-start, xrefs: 003F785F, 003F78B1
#OnAutoItStartRegister, xrefs: 003F7817
#include-once, xrefs: 003F782F
Unterminated group of comments, xrefs: 0043528C

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 02719a25cccfc496cc0f4e3e24737838f74e113a3f0a926a19329c7889ebd5a2
Instruction ID: 5ec1a84a0bec16b83cb8704cee538f7b5b2734a956237b2a2dce8470ecd41c97
Opcode Fuzzy Hash: 02719a25cccfc496cc0f4e3e24737838f74e113a3f0a926a19329c7889ebd5a2
Instruction Fuzzy Hash: 56810971A04209BBDF21BF61CC42FBF3768AF14300F14403AFA04AA196EB79D955C7A9

Function 00463E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00463EF8
_wcslen.LIBCMT ref: 00463F03
_wcslen.LIBCMT ref: 00463F5A
_wcslen.LIBCMT ref: 00463F98
GetDriveTypeW.KERNEL32(?), ref: 00463FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00464059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00464087

Strings

closed, xrefs: 00463F08, 00463F2D, 00463F46, 00463F7E, 00463F97
wait, xrefs: 00464044
type cdaudio alias cd wait, xrefs: 00464001
close, xrefs: 00463EFE, 00463F18
close cd wait, xrefs: 00464072
open, xrefs: 00463F54, 00463F59
open , xrefs: 00463FE5
set cd door , xrefs: 00464028

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 8d86ac06971654052c47ed95fe8640c5ba382d062ea17653a978ebbf203d6dad
Instruction ID: 64e83d3ee5d90f815dadee3e85df07253dc7313a150db357dc354c8621b38afc
Opcode Fuzzy Hash: 8d86ac06971654052c47ed95fe8640c5ba382d062ea17653a978ebbf203d6dad
Instruction Fuzzy Hash: 767120326042169FC710EF24C8809BBB7F4EF94758F00492EF99587291EB38ED45CB96

Function 00455A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00455A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00455A40
SetWindowTextW.USER32(?,?), ref: 00455A57
GetDlgItem.USER32(?,000003EA), ref: 00455A6C
SetWindowTextW.USER32(00000000,?), ref: 00455A72
GetDlgItem.USER32(?,000003E9), ref: 00455A82
SetWindowTextW.USER32(00000000,?), ref: 00455A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00455AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00455AC3
GetWindowRect.USER32(?,?), ref: 00455ACC
_wcslen.LIBCMT ref: 00455B33
SetWindowTextW.USER32(?,?), ref: 00455B6F
GetDesktopWindow.USER32 ref: 00455B75
GetWindowRect.USER32(00000000), ref: 00455B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00455BD3
GetClientRect.USER32(?,?), ref: 00455BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00455C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00455C2F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 0abc181ff462ebf40e0a64a9c3de8383f3d8d220860b3e1418fa98382fe20ec6
Instruction ID: 3495fe51c6e0ffadac55f969c2f5623708e7d08b569ff72682e92f627a629bf7
Opcode Fuzzy Hash: 0abc181ff462ebf40e0a64a9c3de8383f3d8d220860b3e1418fa98382fe20ec6
Instruction Fuzzy Hash: 9C719F31900B059FDB20DFA8CE99A6EBBF5FF48705F10092DE542A26A1D778F944CB58

Function 0046FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0046FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0046FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0046FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0046FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0046FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0046FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0046FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0046FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0046FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0046FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0046FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0046FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0046FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0046FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0046FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0046FECC
GetCursorInfo.USER32(?), ref: 0046FEDC
GetLastError.KERNEL32 ref: 0046FF1E

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d149824f84e950bbd30e28ca37fc0c1ad6c067239c1125e4830993c1eaf5c645
Instruction ID: f2a89f37b1f0beb69fd37fc62004a4e5c94f4eba6040b3f10d42b174444bab27
Opcode Fuzzy Hash: d149824f84e950bbd30e28ca37fc0c1ad6c067239c1125e4830993c1eaf5c645
Instruction Fuzzy Hash: 5E4163B0D043196ADB10DFBA9C8585EBFE8FF04754B50453AE119EB281DB78A9018F95

Function 004530F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0045318D
_wcslen.LIBCMT ref: 004531F8

Strings

CLASS, xrefs: 00453188, 004531A5
TEXT, xrefs: 0045347C
CLASSNN, xrefs: 004531F3, 00453204
REGEXPCLASS, xrefs: 00453255, 00453266
[K, xrefs: 0045339A
NAME, xrefs: 00453335, 00453346
INSTANCE, xrefs: 00453453

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[K
API String ID: 176396367-19976038
Opcode ID: d9d93d7e931d3af60e8367f718a0df0c4abe119ee0e8dae2db1b3feffc30f934
Instruction ID: 40ed83ab558472b0f145418a6bbaca29da164d73c8288926d44387cffdf2d2d0
Opcode Fuzzy Hash: d9d93d7e931d3af60e8367f718a0df0c4abe119ee0e8dae2db1b3feffc30f934
Instruction Fuzzy Hash: 81E1F731A00519ABCB149F74C4417EEFBB0BF44792F64816BEC56A7341DB38AE8D87A4

Function 004100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004100C6

Part of subcall function 004100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(004C070C,00000FA0,CE307A0A,?,?,?,?,004323B3,000000FF), ref: 0041011C
Part of subcall function 004100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004323B3,000000FF), ref: 00410127
Part of subcall function 004100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004323B3,000000FF), ref: 00410138
Part of subcall function 004100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0041014E
Part of subcall function 004100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041015C
Part of subcall function 004100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041016A
Part of subcall function 004100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00410195
Part of subcall function 004100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004101A0

___scrt_fastfail.LIBCMT ref: 004100E7

Part of subcall function 004100A3: __onexit.LIBCMT ref: 004100A9

Strings

SleepConditionVariableCS, xrefs: 00410154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00410122
InitializeConditionVariable, xrefs: 00410148
WakeAllConditionVariable, xrefs: 00410162
kernel32.dll, xrefs: 00410133

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 72a333e0619358093f2ec7e62cbe82aee84d43233197bc53c105db81bd637b15
Instruction ID: 9f2ad5eea65327db13b59e5608beb83f706174fc2d7d5cd35ffa8eefb7280e49
Opcode Fuzzy Hash: 72a333e0619358093f2ec7e62cbe82aee84d43233197bc53c105db81bd637b15
Instruction Fuzzy Hash: 2D21DA32645710ABD7116B64AC89BAE37D4DB44B55F10053FF901E2691DBFD98808BAC

Function 004644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0048CC08), ref: 00464527
_wcslen.LIBCMT ref: 0046453B
_wcslen.LIBCMT ref: 00464599
_wcslen.LIBCMT ref: 004645F4
_wcslen.LIBCMT ref: 0046463F
_wcslen.LIBCMT ref: 004646A7

Part of subcall function 0040F9F2: _wcslen.LIBCMT ref: 0040F9FD

GetDriveTypeW.KERNEL32(?,004B6BF0,00000061), ref: 00464743

Strings

all, xrefs: 00464531, 00464536
removable, xrefs: 004645EA, 004645EF
ramdisk, xrefs: 004646F1
cdrom, xrefs: 0046458F, 00464594
network, xrefs: 0046469D, 004646A2
unknown, xrefs: 00464708
fixed, xrefs: 00464635, 0046463A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: c7ab1b9ec42558994191810ffb2f7a4201a08751a25699e4059c4cc62bf00d47
Instruction ID: 76bc457824fd5a8e38d641a3c6b30196ec379c60472df309a080d541101db248
Opcode Fuzzy Hash: c7ab1b9ec42558994191810ffb2f7a4201a08751a25699e4059c4cc62bf00d47
Instruction Fuzzy Hash: E4B1DE716083029BCB10EF28C890A6BB7E5AFE5724F50491EF59687291E738D845CB6B

Function 0048911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

DragQueryPoint.SHELL32(?,?), ref: 00489147

Part of subcall function 00487674: ClientToScreen.USER32(?,?), ref: 0048769A
Part of subcall function 00487674: GetWindowRect.USER32(?,?), ref: 00487710
Part of subcall function 00487674: PtInRect.USER32(?,?,00488B89), ref: 00487720

SendMessageW.USER32(?,000000B0,?,?), ref: 004891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00489225
SendMessageW.USER32(?,000000B0,?,?), ref: 0048923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00489255
SendMessageW.USER32(?,000000B1,?,?), ref: 00489277
DragFinish.SHELL32(?), ref: 0048927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00489371

Strings

p#L, xrefs: 004892BB
@GUI_DRAGFILE, xrefs: 00489320
@GUI_DRAGID, xrefs: 004892E9
@GUI_DROPID, xrefs: 0048929E

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#L
API String ID: 221274066-253960678
Opcode ID: 6579685d88d79b3af74d51ea20aaa3ed9b60dc94cca0f9efcb16a482aa417097
Instruction ID: fa789d4e5e6cab69fc60fa375c44d4ebbe1f71fbe05fbe60f11454df0d127bd7
Opcode Fuzzy Hash: 6579685d88d79b3af74d51ea20aaa3ed9b60dc94cca0f9efcb16a482aa417097
Instruction Fuzzy Hash: 7261AF71108305AFC702EF60DC85EAFBBE8EF89750F00092EF595971A1DB749A49CB66

Function 00473FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0048CC08), ref: 004740BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 004740CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0048CC08), ref: 004740F2
FreeLibrary.KERNEL32(00000000,?,0048CC08), ref: 0047413E
StringFromGUID2.OLE32(?,?,00000028,?,0048CC08), ref: 004741A8
SysFreeString.OLEAUT32(00000009), ref: 00474262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004742C8
SysFreeString.OLEAUT32(?), ref: 004742F2

Strings

GetModuleHandleExW, xrefs: 004740C7
kernel32.dll, xrefs: 004740B6

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: c2bb9abe55e77e080aa3d84258cbdc034f6654104fce05ca05b5dbf8eb820013
Instruction ID: f2147ab93c94f37d51c5ce2fedcc006a2d0a9d6e43b07c965cb015b616f8c5b0
Opcode Fuzzy Hash: c2bb9abe55e77e080aa3d84258cbdc034f6654104fce05ca05b5dbf8eb820013
Instruction Fuzzy Hash: D9124971A00119EFDB14DF94C884EBEB7B9FF85318F24809AE9099B251C735ED46CBA4

Function 003F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(004C1990), ref: 00432F8D
GetMenuItemCount.USER32(004C1990), ref: 0043303D
GetCursorPos.USER32(?), ref: 00433081
SetForegroundWindow.USER32(00000000), ref: 0043308A
TrackPopupMenuEx.USER32(004C1990,00000000,?,00000000,00000000,00000000), ref: 0043309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004330A9

Strings

0, xrefs: 003F327D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 72cab1ccfb78095bcc3fcc4b8642b5c589b2373e3fa0cfe777e0d483bb6de06f
Instruction ID: 790bc4b8949cf919f172c53be374ab743087996417ec14102c960572519acd8c
Opcode Fuzzy Hash: 72cab1ccfb78095bcc3fcc4b8642b5c589b2373e3fa0cfe777e0d483bb6de06f
Instruction Fuzzy Hash: A1711B30640215BEEB259F25CD89FAFBF64FF05364F204217F614662E1C7B5A910DB98

Function 00486CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00486DEB

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00486E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00486E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00486E94
DestroyWindow.USER32(?), ref: 00486EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,003F0000,00000000), ref: 00486EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00486EFD
GetDesktopWindow.USER32 ref: 00486F16
GetWindowRect.USER32(00000000), ref: 00486F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00486F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00486F4D

Part of subcall function 00409944: GetWindowLongW.USER32(?,000000EB), ref: 00409952

Strings

0, xrefs: 00486D98
tooltips_class32, xrefs: 00486E58, 00486EDD

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 581f9d49fb2b03deef33777bd2574fc0136a1ffc379dfa9aaf3b224e396f35a4
Instruction ID: f63ad76f83c3ae4f629a091c1fe34e9af3b0f3fb2a73dcedcc98976084c7f895
Opcode Fuzzy Hash: 581f9d49fb2b03deef33777bd2574fc0136a1ffc379dfa9aaf3b224e396f35a4
Instruction Fuzzy Hash: 9E715B74104244AFDB61DF18D848FBBBBE9FB89304F14082EFA8997261D774E905CB29

Function 0046C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0046C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0046C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0046C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0046C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0046C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0046C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0046C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0046C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0046C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0046C5F0
InternetCloseHandle.WININET(00000000), ref: 0046C5FB

Strings

, xrefs: 0046C575

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4f6d69250b9a7a4bb3e6b1d5c2bea78fe964523ae783b9480366dd434ca855f3
Instruction ID: 4bfb902cb3bba7b8e87fdf5d3c32576428c75e43aa313e624adfa18d7b0ebd26
Opcode Fuzzy Hash: 4f6d69250b9a7a4bb3e6b1d5c2bea78fe964523ae783b9480366dd434ca855f3
Instruction Fuzzy Hash: 6A5130B1500205BFDB219F65CDC8ABB7BBCFB04754F00442EF98696650EB38E9449B6A

Function 0048856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00488592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004885A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004885AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004885BA
GlobalLock.KERNEL32(00000000), ref: 004885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004885D7
GlobalUnlock.KERNEL32(00000000), ref: 004885E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004885F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0048FC38,?), ref: 00488611
GlobalFree.KERNEL32(00000000), ref: 00488621
GetObjectW.GDI32(?,00000018,?), ref: 00488641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00488671
DeleteObject.GDI32(?), ref: 00488699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004886AF

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: eb549dfc1ad53cc37aa46d7069b7f4794d7f9a9365acc5df1890d3dd53a7126e
Instruction ID: 0aa68d59621e6fd308911668f8624ebbcaa6517ec47231c89ee5ad573e867e2c
Opcode Fuzzy Hash: eb549dfc1ad53cc37aa46d7069b7f4794d7f9a9365acc5df1890d3dd53a7126e
Instruction Fuzzy Hash: 31410975600208AFDB119FA5DC88EAF7BB9EF89B11F10486DF905E7260DB349901DB64

Function 004614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00461502
VariantCopy.OLEAUT32(?,?), ref: 0046150B
VariantClear.OLEAUT32(?), ref: 00461517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00461657
VariantInit.OLEAUT32(?), ref: 00461708
SysFreeString.OLEAUT32(?), ref: 0046178C
VariantClear.OLEAUT32(?), ref: 004617D8
VariantClear.OLEAUT32(?), ref: 004617E7
VariantInit.OLEAUT32(00000000), ref: 00461823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00461625
Default, xrefs: 004616AF

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 3972f842b00f4b3afaf4888ca20ec11ecad7a4a2229a53e4abd2719d21a4bffb
Instruction ID: accdc237d4657eb069f351c6ced8919dbe770439af802637189d647260ae1b85
Opcode Fuzzy Hash: 3972f842b00f4b3afaf4888ca20ec11ecad7a4a2229a53e4abd2719d21a4bffb
Instruction Fuzzy Hash: F4D1DE71A00205EBDB109F65D884B7AF7B5BF44700F18846BE407AB2A0EB38D845DB6B

Function 0047B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 0047C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047C9F1
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA68
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0047B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0047B80A
RegCloseKey.ADVAPI32(?), ref: 0047B87E
RegCloseKey.ADVAPI32(?), ref: 0047B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0047B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0047B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0047B922
FreeLibrary.KERNEL32(00000000), ref: 0047B983
RegCloseKey.ADVAPI32(00000000), ref: 0047B994

Strings

RegDeleteKeyExW, xrefs: 0047B8FE
advapi32.dll, xrefs: 0047B8ED

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: c9200dd818bd19dc5071706ca43cccb1441c50699525e8fa6100e0e847280a08
Instruction ID: 218b47cb049260da9ea32acdcd5d692a3f09cd160b3b7e2f9cec2808d59cfb60
Opcode Fuzzy Hash: c9200dd818bd19dc5071706ca43cccb1441c50699525e8fa6100e0e847280a08
Instruction Fuzzy Hash: 87C18A70204201AFD715DF24C495F6ABBE5FF84308F14C49DE5AA8B3A2CB75E845CB96

Function 0047255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004725E8
CreateCompatibleDC.GDI32(?), ref: 004725F4
SelectObject.GDI32(00000000,?), ref: 00472601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0047266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004726D0
SelectObject.GDI32(?,?), ref: 004726D8
DeleteObject.GDI32(?), ref: 004726E1
DeleteDC.GDI32(?), ref: 004726E8
ReleaseDC.USER32(00000000,?), ref: 004726F3

Strings

(, xrefs: 0047268D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4b2538b87ab66f2dfc1d8300d3c53d32f13b081a452f1e9ec8b6f507bd5aa987
Instruction ID: e7d61e7dd733fc17fd61df119f419e9c388f969b69e005b856f26453acb11f16
Opcode Fuzzy Hash: 4b2538b87ab66f2dfc1d8300d3c53d32f13b081a452f1e9ec8b6f507bd5aa987
Instruction Fuzzy Hash: D561E475D00219EFCF14CFA4D984AAEBBB5FF48310F20852EE959A7250E774A941CFA4

Function 0042DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0042DAA1

Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D659
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D66B
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D67D
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D68F
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6A1
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6B3
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6C5
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6D7
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6E9
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D6FB
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D70D
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D71F
Part of subcall function 0042D63C: _free.LIBCMT ref: 0042D731

_free.LIBCMT ref: 0042DA96

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 0042DAB8
_free.LIBCMT ref: 0042DACD
_free.LIBCMT ref: 0042DAD8
_free.LIBCMT ref: 0042DAFA
_free.LIBCMT ref: 0042DB0D
_free.LIBCMT ref: 0042DB1B
_free.LIBCMT ref: 0042DB26
_free.LIBCMT ref: 0042DB5E
_free.LIBCMT ref: 0042DB65
_free.LIBCMT ref: 0042DB82
_free.LIBCMT ref: 0042DB9A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 42914d15875655abcc3de14d65927093ca53d607e5bf383679f5f0a1481fdcea
Instruction ID: 8c6538349f1c1df214072464867c5d11e0170f903ba1a5be16ba73d058879983
Opcode Fuzzy Hash: 42914d15875655abcc3de14d65927093ca53d607e5bf383679f5f0a1481fdcea
Instruction Fuzzy Hash: EF314CB1B04224AFDB21AB3AF945B577BE9FF04315FD1442BE449D7291DA78AC808728

Function 0045365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0045369C
_wcslen.LIBCMT ref: 004536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00453797
GetClassNameW.USER32(?,?,00000400), ref: 0045380C
GetDlgCtrlID.USER32(?), ref: 0045385D
GetWindowRect.USER32(?,?), ref: 00453882
GetParent.USER32(?), ref: 004538A0
ScreenToClient.USER32(00000000), ref: 004538A7
GetClassNameW.USER32(?,?,00000100), ref: 00453921
GetWindowTextW.USER32(?,?,00000400), ref: 0045395D

Strings

%s%u, xrefs: 00453734

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 424587d375a48a75b045af7a0a442cf2bbcf831bd452d77218954b645ddc5837
Instruction ID: abd9ee5345c8a818c5140debdf3aade02df6db6b4d0bf682e42abd3070429a9d
Opcode Fuzzy Hash: 424587d375a48a75b045af7a0a442cf2bbcf831bd452d77218954b645ddc5837
Instruction Fuzzy Hash: 9F91D5B1204206AFD719DF24C884BEAF7A8FF44386F00452EFD95D2251D734EA49CB95

Function 00454954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00454994
GetWindowTextW.USER32(?,?,00000400), ref: 004549DA
_wcslen.LIBCMT ref: 004549EB
CharUpperBuffW.USER32(?,00000000), ref: 004549F7
_wcsstr.LIBVCRUNTIME ref: 00454A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00454A64
GetWindowTextW.USER32(?,?,00000400), ref: 00454A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00454AE6
GetClassNameW.USER32(?,?,00000400), ref: 00454B20
GetWindowRect.USER32(?,?), ref: 00454B8B

Strings

ThumbnailClass, xrefs: 00454A6F, 00454AF1

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 42b041abc17471a626d145d4a0b6ad7e787da01a2f8eb8804a2c8504be51a685
Instruction ID: ecee6e1e79dac2bd9c8fa0e0af9f7954bafdb22244ef5df6c89adfe6976f0b63
Opcode Fuzzy Hash: 42b041abc17471a626d145d4a0b6ad7e787da01a2f8eb8804a2c8504be51a685
Instruction Fuzzy Hash: 3291A0710042059BDB05CF14C985BAB77E8EF84319F04446EFD859A296EB38ED89CB69

Function 00488D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00488D5A
GetFocus.USER32 ref: 00488D6A
GetDlgCtrlID.USER32(00000000), ref: 00488D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00488E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00488ECF
GetMenuItemCount.USER32(?), ref: 00488EEC
GetMenuItemID.USER32(?,00000000), ref: 00488EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00488F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00488F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00488FA1

Strings

0, xrefs: 00488E9F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 947b19bcdc65c03f0bbc29f01e519c22eda95bb7e1477520e7e100d09f23803a
Instruction ID: 62ac0bc090f299f64b49315ac2f1558ee830f42d2703028eaeb9ff3db25993e4
Opcode Fuzzy Hash: 947b19bcdc65c03f0bbc29f01e519c22eda95bb7e1477520e7e100d09f23803a
Instruction Fuzzy Hash: 56819F71504311ABDB10EF14D884A6F77E9FB88314F540D2EFA84D7291DB38D901CB69

Function 0045BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(004C1990,000000FF,00000000,00000030), ref: 0045BFAC
SetMenuItemInfoW.USER32(004C1990,00000004,00000000,00000030), ref: 0045BFE1
Sleep.KERNEL32(000001F4), ref: 0045BFF3
GetMenuItemCount.USER32(?), ref: 0045C039
GetMenuItemID.USER32(?,00000000), ref: 0045C056
GetMenuItemID.USER32(?,-00000001), ref: 0045C082
GetMenuItemID.USER32(?,?), ref: 0045C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0045C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0045C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0045C145

Strings

0, xrefs: 0045BF3D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 73509e7fa4829da2ad733694b2a506f9e5237c99b06aed72b6e02360af81ec51
Instruction ID: 417a4e5458ba80015ae341c19f14753463cd91425f705b475d8c75f4d48e1611
Opcode Fuzzy Hash: 73509e7fa4829da2ad733694b2a506f9e5237c99b06aed72b6e02360af81ec51
Instruction Fuzzy Hash: 8E618070900359AFDF11CFA4DDC8AAF7BA9EB05349F00042AED01A3292C779AD09CB65

Function 0045DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0045DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0045DC46
_wcslen.LIBCMT ref: 0045DC50
_wcsstr.LIBVCRUNTIME ref: 0045DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0045DCBC

Strings

\VarFileInfo\Translation, xrefs: 0045DCB4
DefaultLangCodepage, xrefs: 0045DD1F
%u.%u.%u.%u, xrefs: 0045DD9A
StringFileInfo\, xrefs: 0045DC8F
04090000, xrefs: 0045DCF2

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 3a9631697385a075d578e9f3097b017a6e9e5616631367975f827add8905ebe4
Instruction ID: e3ac98ce9b509e6e40854a48a3b3c8197b874d489fcb4a0a4fc5f31af598b901
Opcode Fuzzy Hash: 3a9631697385a075d578e9f3097b017a6e9e5616631367975f827add8905ebe4
Instruction Fuzzy Hash: C64102729402057ADB20A665DC43EFF776CEF45714F20046FF900A6183EA7C9A4987BD

Function 0047CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0047CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0047CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0047CD48

Part of subcall function 0047CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0047CCAA
Part of subcall function 0047CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0047CCBD
Part of subcall function 0047CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0047CCCF
Part of subcall function 0047CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0047CD05
Part of subcall function 0047CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0047CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0047CCF3

Strings

RegDeleteKeyExW, xrefs: 0047CCC9
advapi32.dll, xrefs: 0047CCB8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: efabed42831bea0d84776824f154b62d964cd8ce39b1b7bcecd17ed30929dcbc
Instruction ID: b526d67e72e73fb48bd2b8ceb663a8e957b1de3830f45f813ee167ae50449fdd
Opcode Fuzzy Hash: efabed42831bea0d84776824f154b62d964cd8ce39b1b7bcecd17ed30929dcbc
Instruction Fuzzy Hash: C0318071901128BBD7219B90DCC8EFFBB7CEF46740F00456AA909E2240D6389A459BB8

Function 00463D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00463D40
_wcslen.LIBCMT ref: 00463D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00463D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00463DBE
RemoveDirectoryW.KERNEL32(?), ref: 00463DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00463E55
CloseHandle.KERNEL32(00000000), ref: 00463E60
CloseHandle.KERNEL32(00000000), ref: 00463E6B

Strings

:, xrefs: 00463D82
\, xrefs: 00463D77
\??\%s, xrefs: 00463D5B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 24319dfebb7c4985505829fca9a2eea7fdca3ed4d0abd6f6a07af41de7123418
Instruction ID: 1e382e41ae10885966ad57f550e6395beda85de448b66bcd71a751b4bf4b9e13
Opcode Fuzzy Hash: 24319dfebb7c4985505829fca9a2eea7fdca3ed4d0abd6f6a07af41de7123418
Instruction Fuzzy Hash: 55319271900249ABDB219FA0DC89FEF37BCEF88705F1040BAF505D61A0E77897448B29

Function 0045E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0045E6B4

Part of subcall function 0040E551: timeGetTime.WINMM(?,?,0045E6D4), ref: 0040E555

Sleep.KERNEL32(0000000A), ref: 0045E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0045E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0045E727
SetActiveWindow.USER32 ref: 0045E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0045E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0045E773
Sleep.KERNEL32(000000FA), ref: 0045E77E
IsWindow.USER32 ref: 0045E78A
EndDialog.USER32(00000000), ref: 0045E79B

Strings

BUTTON, xrefs: 0045E719

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a3743c84d6e8489a8949d6a5cad09a7b5febcc016e476dc4155e81ba2e631b22
Instruction ID: e2c5064202ac8c686994d103c9979b7dd76f824764c19243a4c05ccf6ae69f59
Opcode Fuzzy Hash: a3743c84d6e8489a8949d6a5cad09a7b5febcc016e476dc4155e81ba2e631b22
Instruction Fuzzy Hash: 44219874200241AFEB055F22EDC9E2A3B59F75534AF50083AFC51911B2DFB59D049B3C

Function 0045E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045EAA7

Strings

play PlayMe, xrefs: 0045EAA2
status PlayMe mode, xrefs: 0045EA58
play PlayMe wait, xrefs: 0045EA91
alias PlayMe, xrefs: 0045EA36
close PlayMe, xrefs: 0045EA6E, 0045EA9B
open , xrefs: 0045EA0C

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: e8dbd20e5f4d83bc57219eae45cf31d3091c2d2365a4524946e097f473fa0f7b
Instruction ID: dc91014354a256df840c4ef1118a820b536ab44b4817d1352c2dcfcfa8b382c7
Opcode Fuzzy Hash: e8dbd20e5f4d83bc57219eae45cf31d3091c2d2365a4524946e097f473fa0f7b
Instruction Fuzzy Hash: 58119171A9022D79D725A7B2DC4AEFF6A7CEBD1B40F10042BB901A60D1EAB80E05C5B4

Function 00455CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00455CE2
GetWindowRect.USER32(00000000,?), ref: 00455CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00455D59
GetDlgItem.USER32(?,00000002), ref: 00455D69
GetWindowRect.USER32(00000000,?), ref: 00455D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00455DCF
GetDlgItem.USER32(?,000003E9), ref: 00455DDD
GetWindowRect.USER32(00000000,?), ref: 00455DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00455E31
GetDlgItem.USER32(?,000003EA), ref: 00455E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00455E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00455E67

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ef846124f822d5ebb45979880061ad9cf44574ecf0e8a3c8a95c22a406d475fc
Instruction ID: 68f4ec4c7399b15aa5fed06fbe030034c976c0590e94e47072334237c65cce04
Opcode Fuzzy Hash: ef846124f822d5ebb45979880061ad9cf44574ecf0e8a3c8a95c22a406d475fc
Instruction Fuzzy Hash: B7512F71A00605AFDB18CFA8DD99AAE7BB5EF48301F108139F915E6291D7749E04CB64

Function 00408BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00408F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00408BE8,?,00000000,?,?,?,?,00408BBA,00000000,?), ref: 00408FC5

DestroyWindow.USER32(?), ref: 00408C81
KillTimer.USER32(00000000,?,?,?,?,00408BBA,00000000,?), ref: 00408D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00446973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00408BBA,00000000,?), ref: 004469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00408BBA,00000000,?), ref: 004469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00408BBA,00000000), ref: 004469D4
DeleteObject.GDI32(00000000), ref: 004469E6

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 450c4ccd013d975434d5f14a44cbe4eb6fac08a090564d986166592b97df96e5
Instruction ID: cff51711837a7755d254e110f7c7a09d9aa00feeac3b1f31cc69b681727ae8ed
Opcode Fuzzy Hash: 450c4ccd013d975434d5f14a44cbe4eb6fac08a090564d986166592b97df96e5
Instruction Fuzzy Hash: 8C61C370105600DFEB259F14DA48B2A77F1FB42316F10493EE082A6AB0CB79AC91DF6D

Function 00409838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00409944: GetWindowLongW.USER32(?,000000EB), ref: 00409952

GetSysColor.USER32(0000000F), ref: 00409862

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3ba0913c4a9d3c5ab2c17812261f1ad6a36a6a1ae097843ebc7cf3bba51138e8
Instruction ID: e56d64e9a509d78ad41d093bb80661f9a5cd843a4067bbc636f30823604fe752
Opcode Fuzzy Hash: 3ba0913c4a9d3c5ab2c17812261f1ad6a36a6a1ae097843ebc7cf3bba51138e8
Instruction Fuzzy Hash: 8E41AB71114650AFDB205F389CC8BBA3765EB46330F14462AF9A2973E3D7359C42DB29

Function 00428D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.A, xrefs: 0042903A, 00428FD0, 00428FF2

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: .A
API String ID: 0-2826776520
Opcode ID: ed4fd0d8060d62199ee5f7c6ddece3ddc4c89bfc0c1bd70ae6fc6f5912388209
Instruction ID: 8cf2c7effa1f850d3715cad79c7d43916aab17ccac6f92877fc6e067f8a8d725
Opcode Fuzzy Hash: ed4fd0d8060d62199ee5f7c6ddece3ddc4c89bfc0c1bd70ae6fc6f5912388209
Instruction Fuzzy Hash: 94C11975F04259AFCB11DFA9E840BAE7BB0BF09310F44409EE41597392CB799D42CB69

Function 004596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0043F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00459717
LoadStringW.USER32(00000000,?,0043F7F8,00000001), ref: 00459720

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0043F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00459742
LoadStringW.USER32(00000000,?,0043F7F8,00000001), ref: 00459745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00459866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0045984A
Line %d:, xrefs: 004597A0
Line %d (File "%s"):, xrefs: 0045978F
Error: , xrefs: 0045981D
^ ERROR, xrefs: 004597FB

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3e6773b836af451b18091474fe0711aaca2acf182a053b7a5155aacbd579fc43
Instruction ID: 2f5c110c2837358e32782d9d8956147eaaa1ec517660a7dcb968dd22bdd10b6f
Opcode Fuzzy Hash: 3e6773b836af451b18091474fe0711aaca2acf182a053b7a5155aacbd579fc43
Instruction Fuzzy Hash: 2241427290021DAACB05FBE1DE86EFE7778AF14341F100066F60576192EB796F48CB65

Function 004506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00450804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0045082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00450837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0045083C

Strings

\CLSID, xrefs: 00450724
\IPC$, xrefs: 00450784
SOFTWARE\Classes\, xrefs: 0045070E

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: bccbd0911d3a65ff2cfe09a53b97dfaad5d2853c832d2ef9617624317697a15d
Instruction ID: e63159ba8d502f5e09db7e3f390aba24c9e38df00547e5dd590cbdf234e98857
Opcode Fuzzy Hash: bccbd0911d3a65ff2cfe09a53b97dfaad5d2853c832d2ef9617624317697a15d
Instruction Fuzzy Hash: 8F41077681022DABDF12EBA4DC95DFEB778BF04390F14412AE905A7261EB745E04CBA4

Function 00473C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00473C5C
CoInitialize.OLE32(00000000), ref: 00473C8A
CoUninitialize.OLE32 ref: 00473C94
_wcslen.LIBCMT ref: 00473D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00473DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00473ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00473F0E
CoGetObject.OLE32(?,00000000,0048FB98,?), ref: 00473F2D
SetErrorMode.KERNEL32(00000000), ref: 00473F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00473FC4
VariantClear.OLEAUT32(?), ref: 00473FD8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 38bb333c1cd1d5b9623b235cf437e14a5e8935e90a19dbefdc8b4a68bc0b1bee
Instruction ID: c612b7ee773fdf2b635ca27ff4364f36e143851711818584a6f7e70554b50af8
Opcode Fuzzy Hash: 38bb333c1cd1d5b9623b235cf437e14a5e8935e90a19dbefdc8b4a68bc0b1bee
Instruction Fuzzy Hash: 9EC177716083059FC710DF28C88496BB7E9FF89749F10895EF98A9B210D734EE06CB56

Function 00467A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00467AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00467B8F
SHGetDesktopFolder.SHELL32(?), ref: 00467BA3
CoCreateInstance.OLE32(0048FD08,00000000,00000001,004B6E6C,?), ref: 00467BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00467C74
CoTaskMemFree.OLE32(?,?), ref: 00467CCC
SHBrowseForFolderW.SHELL32(?), ref: 00467D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00467D7A
CoTaskMemFree.OLE32(00000000), ref: 00467D81
CoTaskMemFree.OLE32(00000000), ref: 00467DD6
CoUninitialize.OLE32 ref: 00467DDC

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: bdeeac2d80cc18c1ec817d2041b3a46a68c12f51c9950c192b6bf0449598b86a
Instruction ID: 1b3dfa480e1c69578b7806e6ca6b33e78142c27a38e5d66da5e481c6d26a6627
Opcode Fuzzy Hash: bdeeac2d80cc18c1ec817d2041b3a46a68c12f51c9950c192b6bf0449598b86a
Instruction Fuzzy Hash: 13C13B75A04109AFCB14DFA4C884DAEBBF9FF48308B1484A9E91ADB361D734ED45CB94

Function 0048541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00485504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00485515
CharNextW.USER32(00000158), ref: 00485544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00485585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0048559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004855AC

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 8d083cbe078b56b3399334424f043a02bcfec91aa5fd36a269ce03235201f63f
Instruction ID: 16c65f7e30c19403ed214845e6ab053deabf55a2e8c76e4d0bf2e2beb63a21ea
Opcode Fuzzy Hash: 8d083cbe078b56b3399334424f043a02bcfec91aa5fd36a269ce03235201f63f
Instruction Fuzzy Hash: 9261BF70900608EBDF11EF50CC84EFF7BB9EF05721F10485AF925A62A0D7388A81DB69

Function 0044FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0044FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0044FB08
VariantInit.OLEAUT32(?), ref: 0044FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0044FB3A
VariantCopy.OLEAUT32(?,?), ref: 0044FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0044FBA1
VariantClear.OLEAUT32(?), ref: 0044FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0044FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0044FBCC
VariantClear.OLEAUT32(?), ref: 0044FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0044FBE9

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e7b5b33dbdc9705b4981a343610715d9f6382a243faae686ab2f02f61029a568
Instruction ID: 220ce899de65be10a56fe4a29c84f37def32944f1d8faa819a0f92cf537007df
Opcode Fuzzy Hash: e7b5b33dbdc9705b4981a343610715d9f6382a243faae686ab2f02f61029a568
Instruction Fuzzy Hash: 41415F35A002199FDB00DF64D894DAEBBB9FF48744F00847AE915AB261DB34A945CFA4

Function 00459C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00459CA1
GetAsyncKeyState.USER32(000000A0), ref: 00459D22
GetKeyState.USER32(000000A0), ref: 00459D3D
GetAsyncKeyState.USER32(000000A1), ref: 00459D57
GetKeyState.USER32(000000A1), ref: 00459D6C
GetAsyncKeyState.USER32(00000011), ref: 00459D84
GetKeyState.USER32(00000011), ref: 00459D96
GetAsyncKeyState.USER32(00000012), ref: 00459DAE
GetKeyState.USER32(00000012), ref: 00459DC0
GetAsyncKeyState.USER32(0000005B), ref: 00459DD8
GetKeyState.USER32(0000005B), ref: 00459DEA

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c9ab7946bb7f4edeee1501275429b07c6cdd78309a96b533a3c5059749a1895b
Instruction ID: 778489422927b60af10a842d20d1dbf47ef51cc5d508505e7aecb2b1b0e66306
Opcode Fuzzy Hash: c9ab7946bb7f4edeee1501275429b07c6cdd78309a96b533a3c5059749a1895b
Instruction Fuzzy Hash: 5241A6345047C9A9FF31966088443A7BEB06B11345F08805FDEC6567C3E7A99DCCC7AA

Function 0047055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004705BC
inet_addr.WSOCK32(?), ref: 0047061C
gethostbyname.WSOCK32(?), ref: 00470628
IcmpCreateFile.IPHLPAPI ref: 00470636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004707B9
WSACleanup.WSOCK32 ref: 004707BF

Strings

Ping, xrefs: 00470676

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: fc795e26e7a4e44a0c6f5e86da0689aeb6e403dd9bc774880e07fad87a000db8
Instruction ID: f64d4ef6c2d671f1ca54230fd770b579a2d092135a22c753732f1fff025d68e0
Opcode Fuzzy Hash: fc795e26e7a4e44a0c6f5e86da0689aeb6e403dd9bc774880e07fad87a000db8
Instruction Fuzzy Hash: AB918B35605201EFD324DF25C488F5ABBE0AF44318F14C9AAE4699B7A2C738EC45CF95

Function 00478CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00478CF3

Part of subcall function 00458E54: _wcslen.LIBCMT ref: 00458E77

_wcslen.LIBCMT ref: 00478D4E
_wcslen.LIBCMT ref: 00478D9C
_wcslen.LIBCMT ref: 00478DDC
_wcslen.LIBCMT ref: 00478E6E

Strings

none, xrefs: 00478E65, 00478E6A
stdcall, xrefs: 00478DD6, 00478DDB
winapi, xrefs: 00478D96, 00478D9B
cdecl, xrefs: 00478D48, 00478D4D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 09ef7fd9b15894f425f5316bc7593acb9816625f8b7bf247cd581d475caccc44
Instruction ID: 75cd0e73bd09a142bb394b5f6524e200b45c811073d8b225ded93bb323b281a5
Opcode Fuzzy Hash: 09ef7fd9b15894f425f5316bc7593acb9816625f8b7bf247cd581d475caccc44
Instruction Fuzzy Hash: D351A331A405169BCB24DF68C9449FEB7A5BF64324B20822FE52AE73C4DB38DD41C794

Function 0047372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00473774
CoUninitialize.OLE32 ref: 0047377F
CoCreateInstance.OLE32(?,00000000,00000017,0048FB78,?), ref: 004737D9
IIDFromString.OLE32(?,?), ref: 0047384C
VariantInit.OLEAUT32(?), ref: 004738E4
VariantClear.OLEAUT32(?), ref: 00473936

Strings

Failed to create object, xrefs: 004737E4, 0047389A
Invalid parameter, xrefs: 00473865
NULL Pointer assignment, xrefs: 0047381E

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 7419f7f11f5e20f2eaeebeb8385d108b4eb62b0b4d08f8fb7beda04b9249b8c9
Instruction ID: 5f2d20d677643dccc01dffd8ed0ed1df1d2c7cc31a92e8f63aaa55bd461a7017
Opcode Fuzzy Hash: 7419f7f11f5e20f2eaeebeb8385d108b4eb62b0b4d08f8fb7beda04b9249b8c9
Instruction Fuzzy Hash: 9661B2706083019FD310EF54C884FAAB7E4AF45706F10885EF5899B291C778EE49DB9B

Function 00488B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

Part of subcall function 0040912D: GetCursorPos.USER32(?), ref: 00409141
Part of subcall function 0040912D: ScreenToClient.USER32(00000000,?), ref: 0040915E
Part of subcall function 0040912D: GetAsyncKeyState.USER32(00000001), ref: 00409183
Part of subcall function 0040912D: GetAsyncKeyState.USER32(00000002), ref: 0040919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00488B6B
ImageList_EndDrag.COMCTL32 ref: 00488B71
ReleaseCapture.USER32 ref: 00488B77
SetWindowTextW.USER32(?,00000000), ref: 00488C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00488C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00488CFF

Strings

@GUI_DRAGFILE, xrefs: 00488C9A
p#L, xrefs: 00488C71
@GUI_DROPID, xrefs: 00488C51

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#L
API String ID: 1924731296-65872278
Opcode ID: 846a3eb91a6ce992647533309bf65a89e47ecb710912a98349e8efa4ffd319dc
Instruction ID: 2f09b46a4bae2785e0ef3c732fb886649b9aa738fc835eae7e011a831a6912a9
Opcode Fuzzy Hash: 846a3eb91a6ce992647533309bf65a89e47ecb710912a98349e8efa4ffd319dc
Instruction Fuzzy Hash: DF517B70504204AFD700EF25DC95FAE77E4FB88754F400A2EF9566B2E2DB749904CB6A

Function 00463388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004633CF

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004633F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00463504
"%s" (%d) : ==> %s:, xrefs: 00463522
Line %d (File "%s"):, xrefs: 00463443, 0046345C
Error: , xrefs: 004634D1
Incorrect parameters to object property !, xrefs: 004634AB
^ ERROR , xrefs: 0046349E

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 31280d245c5803f71d9394cb1d758168a38fc500ee824d176a53d32182d2f657
Instruction ID: 95ea1e9117fc4f38a5f834719469869b483dc7579d50c630a84982d0b3697d8b
Opcode Fuzzy Hash: 31280d245c5803f71d9394cb1d758168a38fc500ee824d176a53d32182d2f657
Instruction Fuzzy Hash: 1F51AD71900259BADF16EBA0CD42EFEB378AF04345F204066F505761A2EB392F58CB69

Function 0045B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0045B5FC
_wcslen.LIBCMT ref: 0045B608
_wcslen.LIBCMT ref: 0045B64D
_wcslen.LIBCMT ref: 0045B68C
_wcslen.LIBCMT ref: 0045B6C7

Strings

REMOVE, xrefs: 0045B602, 0045B607
EXISTS, xrefs: 0045B686, 0045B68B
KEYS, xrefs: 0045B647, 0045B64C
APPEND, xrefs: 0045B6C1, 0045B6C6

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 71f9ccbbabaf02fac191b382a772638057284d92238e479d5813efef7f832024
Instruction ID: bc3a8696c577d864c1dd772c32393e7e850f1a8e802c1afc1cc9c98f1848c76c
Opcode Fuzzy Hash: 71f9ccbbabaf02fac191b382a772638057284d92238e479d5813efef7f832024
Instruction Fuzzy Hash: 79411532A000269ACB106F7D88905BF77A1EFA0755B24412BEC21DB386E739CC85C7D5

Function 00465393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00465416
GetLastError.KERNEL32 ref: 00465420
SetErrorMode.KERNEL32(00000000,READY), ref: 004654A7

Strings

INVALID, xrefs: 00465459
NOTREADY, xrefs: 0046544B
READY, xrefs: 00465460, 00465468
UNKNOWN, xrefs: 00465444
READONLY, xrefs: 00465452

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0fa2dbc450afb02ff0b83afb1e3622fb82d9314b568e34626715cd83f11c5eb3
Instruction ID: 46efd04a48ac9cee71bf95231e9e041e98423be88451ed673366f7ddc9d80b0c
Opcode Fuzzy Hash: 0fa2dbc450afb02ff0b83afb1e3622fb82d9314b568e34626715cd83f11c5eb3
Instruction Fuzzy Hash: 6D31A335A006049FC711DF68C484BAA7BB4EF45305F1484ABE505CF392EB79DD86CBA6

Function 00483C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00483C79
SetMenu.USER32(?,00000000), ref: 00483C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00483D10
IsMenu.USER32(?), ref: 00483D24
CreatePopupMenu.USER32 ref: 00483D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00483D5B
DrawMenuBar.USER32 ref: 00483D63

Strings

F, xrefs: 00483D4E
0, xrefs: 00483C54

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 93b2ef4eb886156134c74200c467c13245f15e94f71088e3d04440399906161c
Instruction ID: 701700726a5e73681bb4a34ad9fa6c75977d20d783e24b6d982070f5b3702602
Opcode Fuzzy Hash: 93b2ef4eb886156134c74200c467c13245f15e94f71088e3d04440399906161c
Instruction Fuzzy Hash: 4D4179B5A01209AFDF14DF64D884EAE7BF5FF49341F14482EE90697360D734AA10CBA8

Function 00451EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00451F64
GetDlgCtrlID.USER32 ref: 00451F6F
GetParent.USER32 ref: 00451F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00451F8E
GetDlgCtrlID.USER32(?), ref: 00451F97
GetParent.USER32(?), ref: 00451FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00451FAE

Strings

ListBox, xrefs: 00451F21
ComboBox, xrefs: 00451EEC

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: bf2a262c9716c96d72a9a19f8112c563bbf50a993270357cd4e314bc730da99c
Instruction ID: 60f82a6205cf8b68426ea2cc488cd54fd8d8f336b84cdb1df9928e1855c25437
Opcode Fuzzy Hash: bf2a262c9716c96d72a9a19f8112c563bbf50a993270357cd4e314bc730da99c
Instruction Fuzzy Hash: 1C21C871900114BBCF05AFA0DC85FFEBB74EF05350B10056AF951672A1DB395908DB78

Function 00451FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00452043
GetDlgCtrlID.USER32 ref: 0045204E
GetParent.USER32 ref: 0045206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0045206D
GetDlgCtrlID.USER32(?), ref: 00452076
GetParent.USER32(?), ref: 0045208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0045208D

Strings

ListBox, xrefs: 00452002
ComboBox, xrefs: 00451FCD

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b370a75bf709da62b20be0fa3d223f74f4944c367fac001639c68441a90808f0
Instruction ID: c5facf04ff6c5a92450023a4a84ed29772c116862f70c48e7b504206f727b9af
Opcode Fuzzy Hash: b370a75bf709da62b20be0fa3d223f74f4944c367fac001639c68441a90808f0
Instruction Fuzzy Hash: 3521B371900218BBCF11AFA0DD85BFEBBB8AF05340F100467FA51A7292D6795518DB74

Function 00483A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00483A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00483AA0
GetWindowLongW.USER32(?,000000F0), ref: 00483AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00483AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00483B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00483BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00483BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00483BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00483BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00483C13

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 61e5f68a12592320eefe39e223f5a63033595b32d1dceaea7b6139f812cda1f8
Instruction ID: acd38336165f97eb10b0d3ccfafaecd7a3a69742e923af650a003457ecb2b94a
Opcode Fuzzy Hash: 61e5f68a12592320eefe39e223f5a63033595b32d1dceaea7b6139f812cda1f8
Instruction Fuzzy Hash: D6618EB5900248AFDB10EF64CC81EEE77B8EF09704F10046AFA15A73A2D774AE45DB54

Function 00422C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00422C94

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 00422CA0
_free.LIBCMT ref: 00422CAB
_free.LIBCMT ref: 00422CB6
_free.LIBCMT ref: 00422CC1
_free.LIBCMT ref: 00422CCC
_free.LIBCMT ref: 00422CD7
_free.LIBCMT ref: 00422CE2
_free.LIBCMT ref: 00422CED
_free.LIBCMT ref: 00422CFB

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0708d2ef0f31e2891347ff9ca25b756c5e6ce101c75d6a761a75db5828fffc9c
Instruction ID: b42d3b70af5c7a602d15bdbfb6c6c32db1967305625165700ea54422be7e08b3
Opcode Fuzzy Hash: 0708d2ef0f31e2891347ff9ca25b756c5e6ce101c75d6a761a75db5828fffc9c
Instruction Fuzzy Hash: CB1199B5300118BFCB02EF55EA42CDD3B65FF09354FC144AAF9485B222D675EA909B54

Function 00467DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00467FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00467FC1
GetFileAttributesW.KERNEL32(?), ref: 00467FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00468005
SetCurrentDirectoryW.KERNEL32(?), ref: 00468017
SetCurrentDirectoryW.KERNEL32(?), ref: 00468060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004680B0

Strings

*.*, xrefs: 00468066

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 17953cfc1602a42c42505ebef596bd4a7dc4ae615f5cd041efe281340522b3e6
Instruction ID: 45c86177b29509e5d5e1356b82045de453a3487279a8ffb171b398051ba4f7f2
Opcode Fuzzy Hash: 17953cfc1602a42c42505ebef596bd4a7dc4ae615f5cd041efe281340522b3e6
Instruction Fuzzy Hash: EA81AF725083059BCB20EF54C4409ABB3E8AF88318F144D6FF885C7250EB3ADD498B5B

Function 003F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 003F5C7A

Part of subcall function 003F5D0A: GetClientRect.USER32(?,?), ref: 003F5D30
Part of subcall function 003F5D0A: GetWindowRect.USER32(?,?), ref: 003F5D71
Part of subcall function 003F5D0A: ScreenToClient.USER32(?,?), ref: 003F5D99

GetDC.USER32 ref: 004346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00434708
SelectObject.GDI32(00000000,00000000), ref: 00434716
SelectObject.GDI32(00000000,00000000), ref: 0043472B
ReleaseDC.USER32(?,00000000), ref: 00434733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004347C4

Strings

U, xrefs: 00434693

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 90a8f7363154f8be7ec97b803557a29d0bbff73892839cf4f09d45c84bd0239a
Instruction ID: d33696807b31993a450d545f2cd8c7b3c174638107d7b16ca1433722f0297f0c
Opcode Fuzzy Hash: 90a8f7363154f8be7ec97b803557a29d0bbff73892839cf4f09d45c84bd0239a
Instruction Fuzzy Hash: EE710435400209DFCF219F64C985AFA7BB5FF8A314F14126AEE525A2A6C338A841DF64

Function 0046359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004635E4

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

LoadStringW.USER32(004C2390,?,00000FFF,?), ref: 0046360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00463742
"%s" (%d) : ==> %s:%s%s, xrefs: 00463724
Line %d (File "%s"):, xrefs: 0046366B
Error: , xrefs: 004636EF
^ ERROR, xrefs: 004636C9

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: d7f0922eaf42e1a0c62452419ec13a8444a7887e46d47b28cd993d441e5ee7a3
Instruction ID: 9af0c90beb4d1bc8fc252cc1f4625a60772290acabbafe1c6e4bfb0f14c979b0
Opcode Fuzzy Hash: d7f0922eaf42e1a0c62452419ec13a8444a7887e46d47b28cd993d441e5ee7a3
Instruction Fuzzy Hash: 83518C7190024DBADF16EFA0CC42EEEBB78AF04345F144126F605761A2EB341A99DF69

Function 0046C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0046C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0046C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0046C2CA
GetLastError.KERNEL32 ref: 0046C322
SetEvent.KERNEL32(?), ref: 0046C336
InternetCloseHandle.WININET(00000000), ref: 0046C341

Strings

, xrefs: 0046C2BB

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 388376ae60c827fc8b9c7ca6db6059fa806108f3edc909f9967ee361d3c13099
Instruction ID: 6d8a1149503b69150bc10fcfbc1d7ce4adafefc9567d9eaa33c397f341780048
Opcode Fuzzy Hash: 388376ae60c827fc8b9c7ca6db6059fa806108f3edc909f9967ee361d3c13099
Instruction Fuzzy Hash: 73316171500204AFD7219F6598C4A7B7AFCEB45744B10852EF88692340EB38DD459B7A

Function 0045989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00433AAF,?,?,Bad directive syntax error,0048CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004598BC
LoadStringW.USER32(00000000,?,00433AAF,?), ref: 004598C3

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00459987

Strings

Line %d:, xrefs: 00459912
%s (%d) : ==> %s.: %s %s, xrefs: 004598F1
Line %d (File "%s"):, xrefs: 0045992D
Error: , xrefs: 00459955
., xrefs: 0045996D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 52d58925a2a2017d158d47b03e9c516cd63b9eb6b4e507840e527a07930fcfd6
Instruction ID: ab93eaadc188b7b52daa71c929ae79821ee9ac7d2bf2a5296f16afe8983c778e
Opcode Fuzzy Hash: 52d58925a2a2017d158d47b03e9c516cd63b9eb6b4e507840e527a07930fcfd6
Instruction Fuzzy Hash: 91216D3190021EEBCF16EF90CC46FEE7775BF18345F04446BF615661A2EA39AA18CB25

Function 0045209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0045214D

Strings

largeicons, xrefs: 004520E1
list, xrefs: 0045212F
SHELLDLL_DefView, xrefs: 004520CC
details, xrefs: 004520FB
smallicons, xrefs: 00452115

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 0ac19625b2fd4f9cb668a1775802cd742a7fc67ab182358c818783d8439fd8a4
Instruction ID: 1524e517af4764603b9711b45c3e74a2a7a168af88e335f1d7e8b11d7f138fd8
Opcode Fuzzy Hash: 0ac19625b2fd4f9cb668a1775802cd742a7fc67ab182358c818783d8439fd8a4
Instruction Fuzzy Hash: 7B112776688B07B9F60526219C06EEB739CCF06325B20002BFF04A40D3FAAD68465A2C

Function 0042CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0042CEB7
_free.LIBCMT ref: 0042CF22
_free.LIBCMT ref: 0042CF48
_free.LIBCMT ref: 0042CF71
_free.LIBCMT ref: 0042CFA9
_free.LIBCMT ref: 0042CFDA
_free.LIBCMT ref: 0042D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0042D09C
_free.LIBCMT ref: 0042D0B5

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 00b2e965584e3493bca76e3d109ab14ce37960e7799c1b363c6e2b61d8337e96
Instruction ID: 8ecf44d5ee49712c17a0e9b5bc95a0f2095afeaf3484a60eae8b7674395271ae
Opcode Fuzzy Hash: 00b2e965584e3493bca76e3d109ab14ce37960e7799c1b363c6e2b61d8337e96
Instruction Fuzzy Hash: E56157B1B04220ABDB21AFB5BD81A6E7B95AF05314F85026FF801973C1DA7D9941879C

Function 004850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00485186
ShowWindow.USER32(?,00000000), ref: 004851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004851D1

Part of subcall function 00486FBA: DeleteObject.GDI32(00000000), ref: 00486FE6

GetWindowLongW.USER32(?,000000F0), ref: 0048520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0048521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0048524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00485287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00485296

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: d1c6426e5af813d27b88cd634e1e256572c5f37e34ef93d2a8d673bdecd5dd11
Instruction ID: c759cbd2254ed4867fc50ad5a8ca7815fd53d45b2dd3f0bf46e2c89658f3b6ec
Opcode Fuzzy Hash: d1c6426e5af813d27b88cd634e1e256572c5f37e34ef93d2a8d673bdecd5dd11
Instruction Fuzzy Hash: A951D130A40A08FEEF20AF25CC49BDD3B61FB05325F144867F614A62E1CB79A990DF59

Function 00408B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00446890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00408874,00000000,00000000,00000000,000000FF,00000000), ref: 00446901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0044691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00408874,00000000,00000000,00000000,000000FF,00000000), ref: 0044692D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 376cbbbe15bcb53f4b290b9a06d34e3e7ca9671270b63a561e6807d754951b97
Instruction ID: 84fd6cea90f1d29cd7689acee7b7641abebe110f7ff8f1265664a147853fa1de
Opcode Fuzzy Hash: 376cbbbe15bcb53f4b290b9a06d34e3e7ca9671270b63a561e6807d754951b97
Instruction Fuzzy Hash: 56518CB0600209EFDB209F25CC91FAA7BB5FB45750F10452EF942A62E0DB78E991DB58

Function 0046C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0046C182
GetLastError.KERNEL32 ref: 0046C195
SetEvent.KERNEL32(?), ref: 0046C1A9

Part of subcall function 0046C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0046C272
Part of subcall function 0046C253: GetLastError.KERNEL32 ref: 0046C322
Part of subcall function 0046C253: SetEvent.KERNEL32(?), ref: 0046C336
Part of subcall function 0046C253: InternetCloseHandle.WININET(00000000), ref: 0046C341

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 58737442260699c59b3e9b308e215ce3c4521683f7c7a2826b830af3c280cca7
Instruction ID: 971958e19a0c2fca2074c40f225e29c2f91d5a1e81ca7b4a91c23539293cb2a6
Opcode Fuzzy Hash: 58737442260699c59b3e9b308e215ce3c4521683f7c7a2826b830af3c280cca7
Instruction Fuzzy Hash: 5631A371900705AFDB219FA5DC94A7B7BF9FF14300B00486EF99682610E738E8159FA6

Function 004525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00453A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00453A57
Part of subcall function 00453A3D: GetCurrentThreadId.KERNEL32 ref: 00453A5E
Part of subcall function 00453A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004525B3), ref: 00453A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00452601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00452605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0045260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00452623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00452627

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 14971c79ce6c9cff1fb77cc9480cd0ea6c2f8031eec0e4acff6a784318b24479
Instruction ID: e3a82d68e153152d46bcf380948a0891d719f5be9c2a2ba830618d780ce29cb2
Opcode Fuzzy Hash: 14971c79ce6c9cff1fb77cc9480cd0ea6c2f8031eec0e4acff6a784318b24479
Instruction Fuzzy Hash: EC01D831390214BBFB1067699CCEF593F59DB4EB52F10042AF714AE0D5C9F114488A7D

Function 00451803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00451449,?,?,00000000), ref: 0045180C
HeapAlloc.KERNEL32(00000000,?,00451449,?,?,00000000), ref: 00451813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00451449,?,?,00000000), ref: 00451828
GetCurrentProcess.KERNEL32(?,00000000,?,00451449,?,?,00000000), ref: 00451830
DuplicateHandle.KERNEL32(00000000,?,00451449,?,?,00000000), ref: 00451833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00451449,?,?,00000000), ref: 00451843
GetCurrentProcess.KERNEL32(00451449,00000000,?,00451449,?,?,00000000), ref: 0045184B
DuplicateHandle.KERNEL32(00000000,?,00451449,?,?,00000000), ref: 0045184E
CreateThread.KERNEL32(00000000,00000000,00451874,00000000,00000000,00000000), ref: 00451868

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e1f2bcb32b348bededf1a94df2a181ae54d85fb979895467402c097b396eeb07
Instruction ID: 0b3e0950913e9f6e315da38dbe2e5f02c675ea8af5bf8caebea2a0b432ac7692
Opcode Fuzzy Hash: e1f2bcb32b348bededf1a94df2a181ae54d85fb979895467402c097b396eeb07
Instruction Fuzzy Hash: 6401AC75240304BFE610ABA5DCCDF5B3B6CEB89B11F004425FA05DB1A1D6759C008F34

Function 00423E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00423F0B
__alldvrm.LIBCMT ref: 0042410C
__alldvrm.LIBCMT ref: 0042412E

Strings

}}A, xrefs: 004240CD
}}A, xrefs: 00423E96, 00423EF1, 00423F0A, 00424090
}}A, xrefs: 00423E8A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}A$}}A$}}A
API String ID: 1036877536-1592832002
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: f3d7ceb3756fcc71c6d17f5e57dc4bc0656c58303c57c8c8bd55df100a5f2c16
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 54A14671B002A69FDB11CF18E8817BABBF4EFA6354F54416FE5859B381C23C9982C758

Function 0047A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0045D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0045D501
Part of subcall function 0045D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0045D50F
Part of subcall function 0045D4DC: CloseHandle.KERNELBASE(00000000), ref: 0045D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047A16D
GetLastError.KERNEL32 ref: 0047A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0047A268
GetLastError.KERNEL32(00000000), ref: 0047A273
CloseHandle.KERNEL32(00000000), ref: 0047A2C4

Strings

SeDebugPrivilege, xrefs: 0047A18F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1d128e88aac11bd9e28e5c592c460470e8afa0ac0c0fb88c1e61310e4b0cbbd5
Instruction ID: 7fb4c1f3cd712be01fb5f79ac461eb2860ba507073127fbc50c3578c3597b9f0
Opcode Fuzzy Hash: 1d128e88aac11bd9e28e5c592c460470e8afa0ac0c0fb88c1e61310e4b0cbbd5
Instruction Fuzzy Hash: 37618E31204242AFD710DF18C494F6ABBA1AF84318F54C49DE45A4F7A3C77AEC49CB96

Function 00483886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00483925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0048393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00483954
_wcslen.LIBCMT ref: 00483999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004839F4

Strings

SysListView32, xrefs: 004838F7

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b48dd315ceb1d453af9d96dacd3e7e34f54b8533dce0de1c794f891649185232
Instruction ID: bd272f113395a3d6b098024b282a76ff9a8b622db33025bf7cf63d2ad3dc4924
Opcode Fuzzy Hash: b48dd315ceb1d453af9d96dacd3e7e34f54b8533dce0de1c794f891649185232
Instruction Fuzzy Hash: 3141B571A00218ABDB21AF64CC45FEF77A9EF08754F10092BF544E7291D7799E84CB98

Function 0045BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0045BCFD
IsMenu.USER32(00000000), ref: 0045BD1D
CreatePopupMenu.USER32 ref: 0045BD53
GetMenuItemCount.USER32(00D76E60), ref: 0045BDA4
InsertMenuItemW.USER32(00D76E60,?,00000001,00000030), ref: 0045BDCC

Strings

2, xrefs: 0045BD37
0, xrefs: 0045BCA8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f7d21bcf5c476c9fa1d08e6d312352b7a2a63c22632ba8108dd78486b335cb92
Instruction ID: 669360b0a132cc908f36b1488d3c8567c7bf58da3dbca081db33a98ca9a5a5db
Opcode Fuzzy Hash: f7d21bcf5c476c9fa1d08e6d312352b7a2a63c22632ba8108dd78486b335cb92
Instruction Fuzzy Hash: 7C51D270600209ABDF11CFA9C8C4BAEBBF5EF44316F14412AEC4197392D778994DCBA9

Function 00412D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00412D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00412D53
_ValidateLocalCookies.LIBCMT ref: 00412DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00412E0C
_ValidateLocalCookies.LIBCMT ref: 00412E61

Strings

csm, xrefs: 00412DF6
&HA, xrefs: 00412DFE, 00412E07, 00412E18

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HA$csm
API String ID: 1170836740-2536196076
Opcode ID: 29292c755217402edde40500423bf9af6e5cb993e8aab304d4a5674afb3d643e
Instruction ID: b52905374fc3345b515913f73822002b3adbc2d4077bef2c8be53d3ffb7c5d6e
Opcode Fuzzy Hash: 29292c755217402edde40500423bf9af6e5cb993e8aab304d4a5674afb3d643e
Instruction Fuzzy Hash: 3D41EA34A002089BCF10DF59D944ADFBBB4BF44314F148157E8149B352D7799AA1CBD8

Function 0045C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0045C913

Strings

stop, xrefs: 0045C8E4
info, xrefs: 0045C8B4
warning, xrefs: 0045C8FC
question, xrefs: 0045C8CC
blank, xrefs: 0045C895

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9472258589d86b699e0ab7d5455766107a6894c55608acfa5e20af03263e036a
Instruction ID: be839510f23b6bd0e403d1db3147214e7c791531d13ad0a05edba74cb55ea798
Opcode Fuzzy Hash: 9472258589d86b699e0ab7d5455766107a6894c55608acfa5e20af03263e036a
Instruction Fuzzy Hash: 9E110872789306BEA7006B159CC2DEB679CDF1575AB21002FF900A6283DB7C5D4552AD

Function 0045DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0045DE42
gethostname.WSOCK32(?,00000100), ref: 0045DE5C
gethostbyname.WSOCK32(?), ref: 0045DE69
inet_ntoa.WSOCK32(?), ref: 0045DEAB
_strcat.LIBCMT ref: 0045DEB9
WSACleanup.WSOCK32 ref: 0045DEDE

Strings

0.0.0.0, xrefs: 0045DE87

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: fbb277c402a54225bf8f699578936de38cddf440550717832ca0df3da94430cc
Instruction ID: d0da2f6f9a0886d1a15ef13493f79cf781531c7d49adbf99d8d4f383cb4a990d
Opcode Fuzzy Hash: fbb277c402a54225bf8f699578936de38cddf440550717832ca0df3da94430cc
Instruction Fuzzy Hash: 1F112471800109ABCB34BB319C4AEEF37ACDF51316F00017FF805A6092EF788A858B68

Function 00489F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

GetSystemMetrics.USER32(0000000F), ref: 00489FC7
GetSystemMetrics.USER32(0000000F), ref: 00489FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048A263
ShowWindow.USER32(00000003,00000000), ref: 0048A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0048A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0048A2CA

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 8490da7f5eb00f742a1aacaaf08e18165f8770dd6340efe2142f41433b361209
Instruction ID: 3b5882b487c0a15c45d9c454ef5e728710dff3498651276ca247834ba60ad70e
Opcode Fuzzy Hash: 8490da7f5eb00f742a1aacaaf08e18165f8770dd6340efe2142f41433b361209
Instruction Fuzzy Hash: AFB1CC31600215DFEF24DF68C9887AE3BB2BF44701F0884AAEC459B395D779A950CB66

Function 0045ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0045ED2A
_wcslen.LIBCMT ref: 0045ED3B
_wcslen.LIBCMT ref: 0045ED79
_wcslen.LIBCMT ref: 0045EDAF
_wcslen.LIBCMT ref: 0045EDDF
_wcslen.LIBCMT ref: 0045EDEF
_wcslen.LIBCMT ref: 0045EE2B
_wcslen.LIBCMT ref: 0045EE5A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 7c630a3ee097e0762e09864c7e82ea27388841e746dfb2281e6f7c0e96c8399b
Instruction ID: 6dd039c406e029797ef7acfcdba5246e1c7c1b26ad219757a6144ede4d3ee701
Opcode Fuzzy Hash: 7c630a3ee097e0762e09864c7e82ea27388841e746dfb2281e6f7c0e96c8399b
Instruction Fuzzy Hash: 474194B5D1011875CB11EBF6888A9CFB7A8AF45710F50846BE914E3162FB38D395C3AD

Function 0040F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0044682C,00000004,00000000,00000000), ref: 0040F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0044682C,00000004,00000000,00000000), ref: 0044F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0044682C,00000004,00000000,00000000), ref: 0044F454

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d5dc7160e44681f177dc8d5091257a94933e267f03d1af14b7c5176dff52b6c2
Instruction ID: 4ae75237f5a3adf2bfeadc1457be019f873211722d6c367b93a594fb068308c8
Opcode Fuzzy Hash: d5dc7160e44681f177dc8d5091257a94933e267f03d1af14b7c5176dff52b6c2
Instruction Fuzzy Hash: 7F412CB1208640BAD7349B39D888B2B7B91AB96314F54443FE44772FE1D63DA889CB1D

Function 00482D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00482D1B
GetDC.USER32(00000000), ref: 00482D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00482D2E
ReleaseDC.USER32(00000000,00000000), ref: 00482D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00482D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00482D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00485A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00482DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00482DE1

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 512d637d48f2e36fcaa6d1f6e621c47e8a413f6aa84988ce0649011add455911
Instruction ID: 265f3074ff6e72798320041ea92058bcd3945252ce9ac07fa5c3f96a6c726f8f
Opcode Fuzzy Hash: 512d637d48f2e36fcaa6d1f6e621c47e8a413f6aa84988ce0649011add455911
Instruction Fuzzy Hash: 3B319F72201214BFEB115F54CC89FEB3FA9EF09755F044469FE08AA291D6B99C41CBB8

Function 00455622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00455637
_memcmp.LIBVCRUNTIME ref: 00455659
_memcmp.LIBVCRUNTIME ref: 00455671
_memcmp.LIBVCRUNTIME ref: 00455684
_memcmp.LIBVCRUNTIME ref: 0045569E
_memcmp.LIBVCRUNTIME ref: 004556B1
_memcmp.LIBVCRUNTIME ref: 004556C9
_memcmp.LIBVCRUNTIME ref: 004556E4

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f65fb9739d1d0244364257b7c85c55e005ab50f1328c522736ed28e3eb09b94b
Instruction ID: bdf6ebd21a75a77352c8f2b9a7832776332dc29246273ff3bbac6826e405e927
Opcode Fuzzy Hash: f65fb9739d1d0244364257b7c85c55e005ab50f1328c522736ed28e3eb09b94b
Instruction Fuzzy Hash: 0C21AD7164190DB7E21466124DA2FFF335CAF14346F640027FD085AA56F72CEE1986AD

Function 00474FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00475007
NULL Pointer assignment, xrefs: 0047502E, 00475383

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f57a97d668a1df3339ee47040ae17721aa891d5a249db1158aa2203b558f3ed5
Instruction ID: b27bd2729eb8a41d139a2653c365a6ae47eb832954383c612480dc811a8e78c4
Opcode Fuzzy Hash: f57a97d668a1df3339ee47040ae17721aa891d5a249db1158aa2203b558f3ed5
Instruction Fuzzy Hash: 1DD19171A0060A9FDB10CFA8C881BEEB7B5FF48344F14C46AE919AB291D7B4DD45CB64

Function 00431522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004317FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004315CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00431651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004317FB,?,004317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004316E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004316FB

Part of subcall function 00423820: RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00431777
__freea.LIBCMT ref: 004317A2
__freea.LIBCMT ref: 004317AE

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 65df1a23ffff886cfe1a5814860cea1212cc5b0a9356bc944c93fc8649418824
Instruction ID: 45edd733506f9f27479bd6caa0d43713a0da16328a00b30d4480552909d7ece6
Opcode Fuzzy Hash: 65df1a23ffff886cfe1a5814860cea1212cc5b0a9356bc944c93fc8649418824
Instruction Fuzzy Hash: CE919371E00255ABDB208FA4C881EEF7BB59F4D714F18656BE801E7261DB39DC41CB68

Function 00474523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00474648
VariantInit.OLEAUT32(?), ref: 00474749
VariantClear.OLEAUT32(?), ref: 00474753
VariantClear.OLEAUT32(?), ref: 004747B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0047472C
Null Object assignment in FOR..IN loop, xrefs: 004745D8, 00474706, 004747BE

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 5eacfcbcde7a54110bf01c265612e5e3bf7522daf222b34fb37ad4ae72f26f9c
Instruction ID: 8bb02bb70d6fc837ddbc89c827f5c0a06f5ada2ad9c6ebba196a46bc10258350
Opcode Fuzzy Hash: 5eacfcbcde7a54110bf01c265612e5e3bf7522daf222b34fb37ad4ae72f26f9c
Instruction Fuzzy Hash: D2918071A00219ABDF24CFA5C884FEFB7B8AF85714F10855AF509AB280D7789945CFA4

Function 00461187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0046125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00461284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0046135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00461430

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 870b920be71cf0de4bd058a6dd967d1f7177473ed4c9c1d8a40a8abf6782f3a4
Instruction ID: ed286f47d434b638abc8aa02ff81fc58ec016e27bcbc3c59595c3431cf02c4e2
Opcode Fuzzy Hash: 870b920be71cf0de4bd058a6dd967d1f7177473ed4c9c1d8a40a8abf6782f3a4
Instruction Fuzzy Hash: EB9105719002189FDB00DFA5C895BBE77B5FF44714F18406BE901EB3A1EB78A941CB9A

Function 0040948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ac1a0513e709b68ba5ba63ba3a925b80bf45fd64a5d404562ca9ea325857b8a7
Instruction ID: 313451044a63bfadd1b2deac475ffb8ef511beae5d4e75b889b0bca4a7baca5a
Opcode Fuzzy Hash: ac1a0513e709b68ba5ba63ba3a925b80bf45fd64a5d404562ca9ea325857b8a7
Instruction Fuzzy Hash: D0910771900219EFCB10CFA9CC84AEEBBB8FF49324F14455AE515B7291D378AD42CB64

Function 00473947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0047396B
CharUpperBuffW.USER32(?,?), ref: 00473A7A
_wcslen.LIBCMT ref: 00473A8A
VariantClear.OLEAUT32(?), ref: 00473C1F

Part of subcall function 00460CDF: VariantInit.OLEAUT32(00000000), ref: 00460D1F
Part of subcall function 00460CDF: VariantCopy.OLEAUT32(?,?), ref: 00460D28
Part of subcall function 00460CDF: VariantClear.OLEAUT32(?), ref: 00460D34

Strings

Incorrect Parameter format, xrefs: 004739A6, 00473BA1
AUTOIT.ERROR, xrefs: 00473A80, 00473A85

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: bf6e71bdf0516bc2280bf8753ef8c3c901f9a31884162e0f8d2a13d955356e7a
Instruction ID: 2f169eab9eeb22e9f134df0c750203d55bbab39cdd791c520e39937ca0f48fe5
Opcode Fuzzy Hash: bf6e71bdf0516bc2280bf8753ef8c3c901f9a31884162e0f8d2a13d955356e7a
Instruction Fuzzy Hash: FA91AC756083059FC700EF24C4819AAB7E4FF89315F14886EF88A9B352DB34EE05CB96

Function 00474BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0045000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?,?,0045035E), ref: 0045002B
Part of subcall function 0045000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450046
Part of subcall function 0045000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450054
Part of subcall function 0045000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?), ref: 00450064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00474C51
_wcslen.LIBCMT ref: 00474D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00474DCF
CoTaskMemFree.OLE32(?), ref: 00474DDA

Strings

NULL Pointer assignment, xrefs: 00474E23, 00474E52

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: f81a949bb7d2fb343f5d813cd70bd0bcc0b763da92742b2b819b7db806a95148
Instruction ID: f8176d7588c0b52adb6f1c3bcaaeadb2ae13b1b3a0adbcde8325838904c48a24
Opcode Fuzzy Hash: f81a949bb7d2fb343f5d813cd70bd0bcc0b763da92742b2b819b7db806a95148
Instruction Fuzzy Hash: 34914971D0021DAFDF11DFA4C881AEEB7B8FF48314F10816AE919AB241DB749A45CFA4

Function 004820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00482183
GetMenuItemCount.USER32(00000000), ref: 004821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004821DD
_wcslen.LIBCMT ref: 00482213
GetMenuItemID.USER32(?,?), ref: 0048224D
GetSubMenu.USER32(?,?), ref: 0048225B

Part of subcall function 00453A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00453A57
Part of subcall function 00453A3D: GetCurrentThreadId.KERNEL32 ref: 00453A5E
Part of subcall function 00453A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004525B3), ref: 00453A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004822E3

Part of subcall function 0045E97B: Sleep.KERNEL32 ref: 0045E9F3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 02c29402f34b4ad3d4920d75145577a99fd0136ce7bfdccfd1229dc0324f1ed2
Instruction ID: 914b23103b3b2ca7426316afa636188ba956a78c6b47d11c6c1b55227994f55e
Opcode Fuzzy Hash: 02c29402f34b4ad3d4920d75145577a99fd0136ce7bfdccfd1229dc0324f1ed2
Instruction Fuzzy Hash: 2F71B175E00215AFCB11EF65C985AAEB7F1FF48310F1088AAE916EB341D778ED418B94

Function 00487E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00D76D70), ref: 00487F37
IsWindowEnabled.USER32(00D76D70), ref: 00487F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0048801E
SendMessageW.USER32(00D76D70,000000B0,?,?), ref: 00488051
IsDlgButtonChecked.USER32(?,?), ref: 00488089
GetWindowLongW.USER32(00D76D70,000000EC), ref: 004880AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004880C3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 610a548b3e5c3d3536c66fa734510f02d04d858bbd78c6e55a025ac0394f91f2
Instruction ID: aba79a2e80073a85230d81c029deab643fc7493ba99d1a1b567066ff242eaa53
Opcode Fuzzy Hash: 610a548b3e5c3d3536c66fa734510f02d04d858bbd78c6e55a025ac0394f91f2
Instruction Fuzzy Hash: 61717274508204AFDB21AF55C894FAF7BB5EF0A300F24485EEB5557361CB35E845DB28

Function 0045AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0045AEF9
GetKeyboardState.USER32(?), ref: 0045AF0E
SetKeyboardState.USER32(?), ref: 0045AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0045AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0045AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0045AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0045B020

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6ec1cb589fa4e2c8f7d2853adf211fed068a35e0bc3eef70c793c4f4b089d6af
Instruction ID: fa96e349483240ad124fb07fdada7544f3738b45526bb548695f0b3d61ff48b1
Opcode Fuzzy Hash: 6ec1cb589fa4e2c8f7d2853adf211fed068a35e0bc3eef70c793c4f4b089d6af
Instruction Fuzzy Hash: E15104A16043D13DFB3242348C45BBBBEA99B06705F08898AF9D9555C3D39CACDCD3A9

Function 0045ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0045AD19
GetKeyboardState.USER32(?), ref: 0045AD2E
SetKeyboardState.USER32(?), ref: 0045AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0045ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0045ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0045AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0045AE38

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d2916e6b68acdad78b14adab70b1664401aba45da69e470f59f2712a059cd8d4
Instruction ID: dc1c77052027c246d28d5bdb854a79b7e4b7183efe99ade29d1d828ab3aab3e8
Opcode Fuzzy Hash: d2916e6b68acdad78b14adab70b1664401aba45da69e470f59f2712a059cd8d4
Instruction Fuzzy Hash: B25128A15443D53DF73252248C46B7BBEA96B05302F08868AE4D5569C3D39CECACD36A

Function 0042542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00433CD6,?,?,?,?,?,?,?,?,00425BA3,?,?,00433CD6,?,?), ref: 00425470
__fassign.LIBCMT ref: 004254EB
__fassign.LIBCMT ref: 00425506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00433CD6,00000005,00000000,00000000), ref: 0042552C
WriteFile.KERNEL32(?,00433CD6,00000000,00425BA3,00000000,?,?,?,?,?,?,?,?,?,00425BA3,?), ref: 0042554B
WriteFile.KERNEL32(?,?,00000001,00425BA3,00000000,?,?,?,?,?,?,?,?,?,00425BA3,?), ref: 00425584

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6a3d6044c0102533efa9979a5210decad4a2218bf52b2cec01217fa531e07eca
Instruction ID: b7a9407c634d6c8942f921161e4259e0f3afa31962071d9b395fdc44d0df0e2b
Opcode Fuzzy Hash: 6a3d6044c0102533efa9979a5210decad4a2218bf52b2cec01217fa531e07eca
Instruction Fuzzy Hash: 5151E770A00618AFDB10CFA8E885AEEBBF5EF09301F14451FF555E7291D7349A81CB68

Function 004710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0047304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0047307A
Part of subcall function 0047304E: _wcslen.LIBCMT ref: 0047309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00471112
WSAGetLastError.WSOCK32 ref: 00471121
WSAGetLastError.WSOCK32 ref: 004711C9
closesocket.WSOCK32(00000000), ref: 004711F9

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: f85aaa63fb9b55a999c1fc081e5317f29b3e3f78b2584c6b312c06829d0c1d91
Instruction ID: e3b74ee51a6ca19a9e774c5e219a92e00b6b74546dfdb8db5451935c9fba7c2d
Opcode Fuzzy Hash: f85aaa63fb9b55a999c1fc081e5317f29b3e3f78b2584c6b312c06829d0c1d91
Instruction Fuzzy Hash: CD41E431600208AFDB109F58C884BEAB7E9EF49324F54C06AF9099F2A1C774AD45CBE5

Function 0045CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0045DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0045CF22,?), ref: 0045DDFD

Part of subcall function 0045DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0045CF22,?), ref: 0045DE16

lstrcmpiW.KERNEL32(?,?), ref: 0045CF45
MoveFileW.KERNEL32(?,?), ref: 0045CF7F
_wcslen.LIBCMT ref: 0045D005
_wcslen.LIBCMT ref: 0045D01B
SHFileOperationW.SHELL32(?), ref: 0045D061

Strings

\*.*, xrefs: 0045CFF3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 3f32ace5488cce0ebcdc1c7021a8e7a971038aa9b0f4ba604274ad899003ef78
Instruction ID: 199423ff8edbf58b502e159ac034f84941b21d26e7586aa7afd18f8dd8184715
Opcode Fuzzy Hash: 3f32ace5488cce0ebcdc1c7021a8e7a971038aa9b0f4ba604274ad899003ef78
Instruction Fuzzy Hash: E6415872D452185FDF12EBA5DD81ADE77B8AF08385F1000EBE505EB142EA38A788CB54

Function 00482DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00482E1C
GetWindowLongW.USER32(?,000000F0), ref: 00482E4F
GetWindowLongW.USER32(?,000000F0), ref: 00482E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00482EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00482EE0
GetWindowLongW.USER32(?,000000F0), ref: 00482EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00482F0B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d9be9ff7fbe9c7771ef50e19617c24206a5c30e6d50c89b85a038a57e329afce
Instruction ID: f1fc31ae0b9c14c825802eb533dc923572964ad7b88d60247902d420f1323702
Opcode Fuzzy Hash: d9be9ff7fbe9c7771ef50e19617c24206a5c30e6d50c89b85a038a57e329afce
Instruction Fuzzy Hash: D2312430604250AFDB21EF18DD84F6A37E0FB8A710F14057AFA009F2B2CBB5A840DB19

Function 00457726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00457769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0045778F
SysAllocString.OLEAUT32(00000000), ref: 00457792
SysAllocString.OLEAUT32(?), ref: 004577B0
SysFreeString.OLEAUT32(?), ref: 004577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004577DE
SysAllocString.OLEAUT32(?), ref: 004577EC

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e6444e24cff14f38c848bc426dc40d309e54e7ce78c76822e90f3142ea06b6f4
Instruction ID: d533f0c90f74d5267fa8e412a54d187f00867125110fdab2c7b0f349a79e0074
Opcode Fuzzy Hash: e6444e24cff14f38c848bc426dc40d309e54e7ce78c76822e90f3142ea06b6f4
Instruction Fuzzy Hash: B921A176604219AFDB10DFA8EC88CBB77ACEB09764700843AFD04DB291D674EC458B68

Function 004577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00457842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00457868
SysAllocString.OLEAUT32(00000000), ref: 0045786B
SysAllocString.OLEAUT32 ref: 0045788C
SysFreeString.OLEAUT32 ref: 00457895
StringFromGUID2.OLE32(?,?,00000028), ref: 004578AF
SysAllocString.OLEAUT32(?), ref: 004578BD

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8c2d7fc46cea131ba08a714931b6bd48f92854542886de0f169ea34272a29689
Instruction ID: d5877a8f0f4abcbddc27c7edee66637174c27bb29250375e206213e958c0f864
Opcode Fuzzy Hash: 8c2d7fc46cea131ba08a714931b6bd48f92854542886de0f169ea34272a29689
Instruction Fuzzy Hash: F5217731604114AFDB10AFA9EC8CDAB77ECEB097617108536F915CB2A2D674DC49CB78

Function 004604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0046052E

Strings

nul, xrefs: 00460567

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5367b4b7f5ffb1a580b9f42ee2e5a7cb9eb02112a95a219b35b183c68f173425
Instruction ID: 0dbf230db5884ec295f617ece842c0e2cc6f96f0111282230d4174591bb19b2d
Opcode Fuzzy Hash: 5367b4b7f5ffb1a580b9f42ee2e5a7cb9eb02112a95a219b35b183c68f173425
Instruction Fuzzy Hash: 42216D75500305ABDB209F29DC44A9B77A4AF45724F204A2AF8A2D62E0F7749951CF29

Function 004605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00460601

Strings

nul, xrefs: 00460639

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b0ecbcda85782d1fef2eb4c8d8c48c989c91a3a73d938ae433bddaac5ac33c8f
Instruction ID: 4d1541fee30c211a2f062298cbcfc861c7d3724d49e4a6d43f37588eb8524a85
Opcode Fuzzy Hash: b0ecbcda85782d1fef2eb4c8d8c48c989c91a3a73d938ae433bddaac5ac33c8f
Instruction Fuzzy Hash: 652183755003059BDB209F69DC44A9B77E4AF95724F200A1AF8A1E73E0E7749861CB2A

Function 004840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003F604C
Part of subcall function 003F600E: GetStockObject.GDI32(00000011), ref: 003F6060
Part of subcall function 003F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00484112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0048411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0048412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00484139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00484145

Strings

Msctls_Progress32, xrefs: 004840E3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 78cc188cb5d3c9e4c49a65c97e37d98b94f0f8523844e661962dc4e8e12f1f66
Instruction ID: 65bef063fa6f10532bc5e3f1f2f62f404983986353257fbc1a3ce481038c4555
Opcode Fuzzy Hash: 78cc188cb5d3c9e4c49a65c97e37d98b94f0f8523844e661962dc4e8e12f1f66
Instruction Fuzzy Hash: A411D3B115021A7EEF119F64CC85EEB7F5DEF08398F014111BA18A2150CB769C219BA4

Function 0042D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042D7A3: _free.LIBCMT ref: 0042D7CC

_free.LIBCMT ref: 0042D82D

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 0042D838
_free.LIBCMT ref: 0042D843
_free.LIBCMT ref: 0042D897
_free.LIBCMT ref: 0042D8A2
_free.LIBCMT ref: 0042D8AD
_free.LIBCMT ref: 0042D8B8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: cbba1242cf76be80aa107b77dbc11bd47c3308b046ae1a59affd0977960c5973
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 331151B1B40B24BAD521BFB2EC47FCB7BDC6F44704FC0082EB2D9A6092DA6DB5454654

Function 0045DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0045DA74
LoadStringW.USER32(00000000), ref: 0045DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0045DA91
LoadStringW.USER32(00000000), ref: 0045DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0045DAB9

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a51fb2b9a1add36f63a0a39218f6ad919f8f721b597aa5585aea0b4d0f5dff54
Instruction ID: 86c0e5dc60bcd9592ff5a18f621cf454be46611acc376a03ae1b87aca79c49ba
Opcode Fuzzy Hash: a51fb2b9a1add36f63a0a39218f6ad919f8f721b597aa5585aea0b4d0f5dff54
Instruction Fuzzy Hash: AB013BF69002087FE711A7A49DC9EEB776CEB04705F444867B745E2041E6749D844F79

Function 0046096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D6B208,00D6B208), ref: 0046097B
EnterCriticalSection.KERNEL32(00D6B1E8,00000000), ref: 0046098D
TerminateThread.KERNEL32(?,000001F6), ref: 0046099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004609A9
CloseHandle.KERNEL32(?), ref: 004609B8
InterlockedExchange.KERNEL32(00D6B208,000001F6), ref: 004609C8
LeaveCriticalSection.KERNEL32(00D6B1E8), ref: 004609CF

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 29de9d8fa119c632128595272167775245ea5a808c63b50cd6ef144aa66eab2c
Instruction ID: ef34c5400e9c045df47060088d17aeb6c40dc9a32a8ba49d9f0e070ac5ec7bd6
Opcode Fuzzy Hash: 29de9d8fa119c632128595272167775245ea5a808c63b50cd6ef144aa66eab2c
Instruction Fuzzy Hash: B6F01D71442902ABD7415B94EECCADA7B25BF01712F40242AF101508A0D7749465CFA8

Function 00471C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00471DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00471DE1
WSAGetLastError.WSOCK32 ref: 00471DF2
htons.WSOCK32(?,?,?,?,?), ref: 00471EDB
inet_ntoa.WSOCK32(?), ref: 00471E8C

Part of subcall function 004539E8: _strlen.LIBCMT ref: 004539F2

Part of subcall function 00473224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0046EC0C), ref: 00473240

_strlen.LIBCMT ref: 00471F35

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: fb1104c8062c3f8d2cc48ee493357253ef7c1b1e5516c3e85f866a5d009d2492
Instruction ID: f4c5f1d13c1d74ee4318c3118ed7afa296cdac17f106fe960708228455b3d219
Opcode Fuzzy Hash: fb1104c8062c3f8d2cc48ee493357253ef7c1b1e5516c3e85f866a5d009d2492
Instruction Fuzzy Hash: 98B1DF70204300AFC324DF28C891E6A7BA5AF84318F54895EF55A5F3E2CB35ED46CB96

Function 003F5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 003F5D30
GetWindowRect.USER32(?,?), ref: 003F5D71
ScreenToClient.USER32(?,?), ref: 003F5D99
GetClientRect.USER32(?,?), ref: 003F5ED7
GetWindowRect.USER32(?,?), ref: 003F5EF8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: ce06fd5dee4b686f40e253e1d826f42d0cc8d05a9bafa8d5ad557b1dec5e07d8
Instruction ID: 9e748202583f0845f54d5ea4fc1624e998ab71bd7d48154b05fbddfb645c7933
Opcode Fuzzy Hash: ce06fd5dee4b686f40e253e1d826f42d0cc8d05a9bafa8d5ad557b1dec5e07d8
Instruction Fuzzy Hash: 67B17778A00A4ADBDB14CFA8C4807FEB7F1FF58310F14941AEAA9D7650DB34AA51CB54

Function 004201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004200D6
__allrem.LIBCMT ref: 004200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042010B
__allrem.LIBCMT ref: 00420122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00420140

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 9afd728bf78528d33ddea05b7b68c68854bbbf4e3791c0cc6ed274505f208177
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: F3811671B007129BE7209A29EC41BAB73E9AF41328F64412FF511D7382E7B9D9428798

Function 004261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004182D9,004182D9,?,?,?,0042644F,00000001,00000001,8BE85006), ref: 00426258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0042644F,00000001,00000001,8BE85006,?,?,?), ref: 004262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004263D8
__freea.LIBCMT ref: 004263E5

Part of subcall function 00423820: RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

__freea.LIBCMT ref: 004263EE
__freea.LIBCMT ref: 00426413

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d09a7b82560bad3d8b21db730205a5a0e1246f118c2e66cc2301057749868281
Instruction ID: 34fe021adbb77e755b057b766828e16fbcc94b74aabafedccb2a05bd61310cc1
Opcode Fuzzy Hash: d09a7b82560bad3d8b21db730205a5a0e1246f118c2e66cc2301057749868281
Instruction Fuzzy Hash: DB51F472700226ABDB259F64EC81EAF77A9EF44714F96466EFC05D6240DB3CDC40CA68

Function 0047BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 0047C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047C9F1
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA68
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0047BD25
RegCloseKey.ADVAPI32(00000000), ref: 0047BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0047BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0047BDF3
RegCloseKey.ADVAPI32(?), ref: 0047BDFF

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: f334aaa703d7e337e348beca938b26136d4b7d8da80ab28d21ad534309938cb4
Instruction ID: 7603340aba0bda48f29219b23a6c1372181d713bd00339b738c7fe835240a149
Opcode Fuzzy Hash: f334aaa703d7e337e348beca938b26136d4b7d8da80ab28d21ad534309938cb4
Instruction Fuzzy Hash: DE818970208241AFC715DF24C881F6ABBE5FF84308F14896EF5598B2A2DB35ED45CB96

Function 0044F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0044F7B9
SysAllocString.OLEAUT32(00000001), ref: 0044F860
VariantCopy.OLEAUT32(0044FA64,00000000), ref: 0044F889
VariantClear.OLEAUT32(0044FA64), ref: 0044F8AD
VariantCopy.OLEAUT32(0044FA64,00000000), ref: 0044F8B1
VariantClear.OLEAUT32(?), ref: 0044F8BB

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f4df02cfb076ec6b8eb36d9ceb3bca3a96c3f37342eccdefea6a564026dd54be
Instruction ID: c719a68ebcd049e000274489fcd53646e2607ede520dcf2e4ffec57187c8777a
Opcode Fuzzy Hash: f4df02cfb076ec6b8eb36d9ceb3bca3a96c3f37342eccdefea6a564026dd54be
Instruction Fuzzy Hash: A251E771A00310BAEF24AB65D895B29B3A4EF45714B24847BE906DF291DB788C48C76F

Function 0046910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 003F7620: _wcslen.LIBCMT ref: 003F7625

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004694E5
_wcslen.LIBCMT ref: 00469506
_wcslen.LIBCMT ref: 0046952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00469585

Strings

X, xrefs: 00469412

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ac12719966e5311f88ba3717aca69e5164886c3f2196018dd1c6003db8f36d13
Instruction ID: a132103b52f64ca81d8ab58065db7a1d7215a6eb5088ac3b468a2556cf713ad0
Opcode Fuzzy Hash: ac12719966e5311f88ba3717aca69e5164886c3f2196018dd1c6003db8f36d13
Instruction Fuzzy Hash: B8E1BF716083009FC725DF24C881A6AB7E4BF85314F04896EF9899B3A2EB74DD45CB96

Function 0040920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

BeginPaint.USER32(?,?,?), ref: 00409241
GetWindowRect.USER32(?,?), ref: 004092A5
ScreenToClient.USER32(?,?), ref: 004092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004092D3
EndPaint.USER32(?,?,?,?,?), ref: 00409321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004471EA

Part of subcall function 00409339: BeginPath.GDI32(00000000), ref: 00409357

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ad838697b4298fe13d3bd8975c263a9c05ff9c6f862568c1b1195ffae116e0b6
Instruction ID: d372052d295b3b7446b610ed212f2def32226561701a6a69fe5d01f36d020ca7
Opcode Fuzzy Hash: ad838697b4298fe13d3bd8975c263a9c05ff9c6f862568c1b1195ffae116e0b6
Instruction Fuzzy Hash: FD418D70104201AFD711DF25CC84FAA7BA8EB4A324F14067EF954962F2C7359C46DB6A

Function 004607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0046080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00460847
EnterCriticalSection.KERNEL32(?), ref: 00460863
LeaveCriticalSection.KERNEL32(?), ref: 004608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00460921

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 078fccb168acf1b69ffeb340fb101e8fb64d12f6d23659c96c1c700b3a866415
Instruction ID: b093d6a1650cd82936426c0423fb1539a14a16f411ccb3f275c0385d6fdf4942
Opcode Fuzzy Hash: 078fccb168acf1b69ffeb340fb101e8fb64d12f6d23659c96c1c700b3a866415
Instruction Fuzzy Hash: F4418871900205EBDF14EF55DC85AAB77B9FF44314F1040BAED00AA296DB34DE64CBA8

Function 004881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0044F3AB,00000000,?,?,00000000,?,0044682C,00000004,00000000,00000000), ref: 0048824C
EnableWindow.USER32(?,00000000), ref: 00488272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004882D1
ShowWindow.USER32(?,00000004), ref: 004882E5
EnableWindow.USER32(?,00000001), ref: 0048830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0048832F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a344fde779955aef25b9a678d6aae9e90f6b53e3bdddc4ef86e083c3b2271037
Instruction ID: cab391f7d7bf73d3d06a9e4e50dbc70949ecb73988f5c3dcea59cd2729f35113
Opcode Fuzzy Hash: a344fde779955aef25b9a678d6aae9e90f6b53e3bdddc4ef86e083c3b2271037
Instruction Fuzzy Hash: 1841C474601644AFDB22EF15C895FAD7BE0BB06714F5805BEE9088B372CB36A841CB58

Function 00454C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00454C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00454CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00454CEA
_wcslen.LIBCMT ref: 00454D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00454D10
_wcsstr.LIBVCRUNTIME ref: 00454D1A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 9ccf2a35160f3cfbb24a38bccef5ea142c1f346a85048b47a7d23dbe081c48d0
Instruction ID: 9b5f836ad33c864881fdf9b91b3317106ec9bde4f0f9aa1b79e3809d44870bee
Opcode Fuzzy Hash: 9ccf2a35160f3cfbb24a38bccef5ea142c1f346a85048b47a7d23dbe081c48d0
Instruction Fuzzy Hash: A621F8312041007BEB255B26DC45A7F7BA8DF85754F10403FFC05DE292EA79DC8992A4

Function 0046581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 003F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003F3A97,?,?,003F2E7F,?,?,?,00000000), ref: 003F3AC2

_wcslen.LIBCMT ref: 0046587B
CoInitialize.OLE32(00000000), ref: 00465995
CoCreateInstance.OLE32(0048FCF8,00000000,00000001,0048FB68,?), ref: 004659AE
CoUninitialize.OLE32 ref: 004659CC

Strings

.lnk, xrefs: 00465876, 004658C1, 00465985

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 6cea03213dfff2285cfc709a33a605c1c15df6ce1a96477dfe3d9de35ead391b
Instruction ID: 1f569d8d84d3528eca047b5256dbcc199f1f46dc9f07e21392d34acc3b63bdf3
Opcode Fuzzy Hash: 6cea03213dfff2285cfc709a33a605c1c15df6ce1a96477dfe3d9de35ead391b
Instruction Fuzzy Hash: D3D153B06047059FC714DF25C480A2ABBE1FF89714F14895EF88A9B361EB35EC49CB96

Function 0045175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00450FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00450FCA
Part of subcall function 00450FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00450FD6
Part of subcall function 00450FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00450FE5
Part of subcall function 00450FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00450FEC
Part of subcall function 00450FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00451002

GetLengthSid.ADVAPI32(?,00000000,00451335), ref: 004517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004517BA
HeapAlloc.KERNEL32(00000000), ref: 004517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004517DA
GetProcessHeap.KERNEL32(00000000,00000000,00451335), ref: 004517EE
HeapFree.KERNEL32(00000000), ref: 004517F5

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 31b06a3cbd7f5c1ea33d375d3de1b34234bfdb2164265e00760b4262d5edf206
Instruction ID: d5b1bf2c16d756b9835e9a7c90508a9b7c58f16db20fba89aa9b79171214367d
Opcode Fuzzy Hash: 31b06a3cbd7f5c1ea33d375d3de1b34234bfdb2164265e00760b4262d5edf206
Instruction Fuzzy Hash: 77118431500205FFDB109FA8DCC9BAF77A9EB46356F10452DF84197221D7399948CB68

Function 004514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00451506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00451515
CloseHandle.KERNEL32(00000004), ref: 00451520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0045154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00451563

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3f73f4dc6129ffe21b88d03bb2487bf9a1a3c772d8e80104d90c3aa7caef7092
Instruction ID: 6352e36ece4a548060da9bededa830ea963f946618aed91fb83e8328f225f85f
Opcode Fuzzy Hash: 3f73f4dc6129ffe21b88d03bb2487bf9a1a3c772d8e80104d90c3aa7caef7092
Instruction Fuzzy Hash: E9118C7210020DABDF118F98DD89FDE3BA9EF49745F044029FE05A2160D3758E65EB65

Function 00413382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00413379,00412FE5), ref: 00413390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0041339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004133B7
SetLastError.KERNEL32(00000000,?,00413379,00412FE5), ref: 00413409

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a9f472305e45b357ed301babce3aac17e972df0c2f03870b4c508fa343a72447
Instruction ID: f84962ed4c81748bb3fedc013a966b7bf523ee1d385cca25a2e32fce21532017
Opcode Fuzzy Hash: a9f472305e45b357ed301babce3aac17e972df0c2f03870b4c508fa343a72447
Instruction Fuzzy Hash: 69019E32709311ABAA253FB57CC56EB2A94EB0577B720033FF820852F1EF194D92565C

Function 00422D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00425686,00433CD6,?,00000000,?,00425B6A,?,?,?,?,?,0041E6D1,?,004B8A48), ref: 00422D78
_free.LIBCMT ref: 00422DAB
_free.LIBCMT ref: 00422DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0041E6D1,?,004B8A48,00000010,003F4F4A,?,?,00000000,00433CD6), ref: 00422DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0041E6D1,?,004B8A48,00000010,003F4F4A,?,?,00000000,00433CD6), ref: 00422DEC
_abort.LIBCMT ref: 00422DF2

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: eab66bdfc030f6dd3a27fa76a83ecab6cf8ea7131921e373235afc4d301d51e9
Instruction ID: 17afdb2d5ada70e8428e61248c23fc6ded1650e88ea7eeef4d3699cafd68ea83
Opcode Fuzzy Hash: eab66bdfc030f6dd3a27fa76a83ecab6cf8ea7131921e373235afc4d301d51e9
Instruction Fuzzy Hash: C6F0F93575453077C2522B3A7E46E5F1559AFC1765BA0052FF824922D2DFBC8802417C

Function 00488A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00409639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00409693
Part of subcall function 00409639: SelectObject.GDI32(?,00000000), ref: 004096A2
Part of subcall function 00409639: BeginPath.GDI32(?), ref: 004096B9
Part of subcall function 00409639: SelectObject.GDI32(?,00000000), ref: 004096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00488A4E
LineTo.GDI32(?,00000003,00000000), ref: 00488A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00488A70
LineTo.GDI32(?,00000000,00000003), ref: 00488A80
EndPath.GDI32(?), ref: 00488A90
StrokePath.GDI32(?), ref: 00488AA0

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7390b3c49dcf8b055916ba3cf8dcd984148a0dcae529bb44fe3148e0c59d40af
Instruction ID: afb1a8375d40acda1a75d697568ad6e627961b369819fbdd3ccccca546bc988e
Opcode Fuzzy Hash: 7390b3c49dcf8b055916ba3cf8dcd984148a0dcae529bb44fe3148e0c59d40af
Instruction Fuzzy Hash: 65110976400108FFDB129F90DC88EAE7F6DEB09394F008426BA199A1A1C7719D55DFA4

Function 004551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00455218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00455229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00455230
ReleaseDC.USER32(00000000,00000000), ref: 00455238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0045524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00455261

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3eb4fc8880fba15743b1fad68a41535b3940a998afa01a8b812bd74d25a05904
Instruction ID: 317e3ba14e41d5d56128b28b728f74f35f493501b22594faa8df60d53847d40f
Opcode Fuzzy Hash: 3eb4fc8880fba15743b1fad68a41535b3940a998afa01a8b812bd74d25a05904
Instruction Fuzzy Hash: 92014475A00714BBEB105BF59C89A5EBF78EF44751F04447AFA04E7281D6709805CFA4

Function 003F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 003F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 003F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 003F1C22

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 955b89a244ad8a0d98d23e33cc4b0276ed438343272a13ea9e30cfe56d55a3b3
Instruction ID: e64fb44cad9e3bee6c2abe41a45e626825a679d63d9fbb341b94087f606f6f5c
Opcode Fuzzy Hash: 955b89a244ad8a0d98d23e33cc4b0276ed438343272a13ea9e30cfe56d55a3b3
Instruction Fuzzy Hash: 7D016CB09027597DE3008F5A8C85B56FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 0045EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0045EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0045EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0045EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0045EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0045EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0045EB75

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c93f4a86f41cc9c69bf9713ee956745a97c8e57a90d6ed1042a230705593edd4
Instruction ID: c540b0c06c12fb4b0c5d2550e6153285f0e0a863d3e88dedfbaae63eaf373b5c
Opcode Fuzzy Hash: c93f4a86f41cc9c69bf9713ee956745a97c8e57a90d6ed1042a230705593edd4
Instruction Fuzzy Hash: C8F01D72540158BBE62157529C8DEAF3A7CEBCAB11F00056DFA01E1191E7B05A018BB9

Function 00447439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00447452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00447469
GetWindowDC.USER32(?), ref: 00447475
GetPixel.GDI32(00000000,?,?), ref: 00447484
ReleaseDC.USER32(?,00000000), ref: 00447496
GetSysColor.USER32(00000005), ref: 004474B0

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 8530eb0962a0aa702a64ebbd0eb0066cc47e9a84867e8d9fd2689a4894a5744f
Instruction ID: 948914efd47ae4ffc1c3a6e3e8cb207075136a5dde640de3c0884d74ed4f472a
Opcode Fuzzy Hash: 8530eb0962a0aa702a64ebbd0eb0066cc47e9a84867e8d9fd2689a4894a5744f
Instruction Fuzzy Hash: D3018B31400215FFEB515FA4EC48BAE7BB5FF04321F100879F915A21B1CB351E42AB69

Function 00451874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045187F
UnloadUserProfile.USERENV(?,?), ref: 0045188B
CloseHandle.KERNEL32(?), ref: 00451894
CloseHandle.KERNEL32(?), ref: 0045189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004518A5
HeapFree.KERNEL32(00000000), ref: 004518AC

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a8f10c9a03e7cf66ecb36c13b280e806dd35c9a267142dbcf619e6a8a60026dd
Instruction ID: 584eea221131b221d6cbc4d2dfcb706ee0dac568cab3e5ad9e22825e072f82e2
Opcode Fuzzy Hash: a8f10c9a03e7cf66ecb36c13b280e806dd35c9a267142dbcf619e6a8a60026dd
Instruction Fuzzy Hash: 46E0E536004101BBDB016FA1ED8CD0EBF39FF49B22B108A38F22581474CB329421EF68

Function 003FBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003FBEB3

Strings

D%L, xrefs: 003FBCA2
D%LD%L, xrefs: 003FBCA5
D%L, xrefs: 003FBDED, 003FBD91, 003FBD1B
D%L, xrefs: 003FBE9A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%L$D%L$D%L$D%LD%L
API String ID: 1385522511-3295220586
Opcode ID: 439f83a7d3914eede6197a9acd2658c1335732afc0bd1273881ca8232f3d6824
Instruction ID: 3b415746559d67da7ca13c1b774d6092dfb8eab9bb88adea9224e612642c2e92
Opcode Fuzzy Hash: 439f83a7d3914eede6197a9acd2658c1335732afc0bd1273881ca8232f3d6824
Instruction Fuzzy Hash: F1914AB5A0020ADFCB59CF58C190ABAF7F5FF58310B25816EEA45AB350D771E981CB90

Function 00477B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00410242: EnterCriticalSection.KERNEL32(004C070C,004C1884,?,?,0040198B,004C2518,?,?,?,003F12F9,00000000), ref: 0041024D
Part of subcall function 00410242: LeaveCriticalSection.KERNEL32(004C070C,?,0040198B,004C2518,?,?,?,003F12F9,00000000), ref: 0041028A

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 004100A3: __onexit.LIBCMT ref: 004100A9

__Init_thread_footer.LIBCMT ref: 00477BFB

Part of subcall function 004101F8: EnterCriticalSection.KERNEL32(004C070C,?,?,00408747,004C2514), ref: 00410202
Part of subcall function 004101F8: LeaveCriticalSection.KERNEL32(004C070C,?,00408747,004C2514), ref: 00410235

Strings

+TD, xrefs: 00477E2E
Variable must be of type 'Object'., xrefs: 00477C3A
G, xrefs: 00477C7F
5, xrefs: 00477C78

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TD$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2061947132
Opcode ID: 110ff93933c11e9646d1b73603d7e4a1b4b0b739e69d0108fc98e72f374c7324
Instruction ID: 51f77272207f5e95022d70ed6729936a409cf22c1552089f7fcc0ef5657b821f
Opcode Fuzzy Hash: 110ff93933c11e9646d1b73603d7e4a1b4b0b739e69d0108fc98e72f374c7324
Instruction Fuzzy Hash: 92918C74A04209AFCB15EF55C9819FEB7B1AF48304F50805EF80A9B392DB799E41CB59

Function 0045C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F7620: _wcslen.LIBCMT ref: 003F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045C6EE
_wcslen.LIBCMT ref: 0045C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0045C7CA

Strings

0, xrefs: 0045C6AF

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 441b40ac6ebf0e0d4d471f86388942a91d29a40c464d9863c6a65fd3b4cf6fcd
Instruction ID: 4f9cf93ffce41ef63766d4606d45ac9759bc83875567427ce8acbf4a38ed0afa
Opcode Fuzzy Hash: 441b40ac6ebf0e0d4d471f86388942a91d29a40c464d9863c6a65fd3b4cf6fcd
Instruction Fuzzy Hash: 0151DF71604302AFD7109F28C8C5B6B77E4AF49315F04092FFD95E26A2DB78D908CB9A

Function 0047AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0047AEA3

Part of subcall function 003F7620: _wcslen.LIBCMT ref: 003F7625

GetProcessId.KERNEL32(00000000), ref: 0047AF38
CloseHandle.KERNEL32(00000000), ref: 0047AF67

Strings

@, xrefs: 0047AE72
<, xrefs: 0047AE6B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 4912519e61d4b244eb32c069901bcbc7f8cc82c980e4a0a3a659c48b3778da3f
Instruction ID: 763e1e6196d3f7140a2daf2367decdd5182cd306ac9ad578af1e3092bebafaa5
Opcode Fuzzy Hash: 4912519e61d4b244eb32c069901bcbc7f8cc82c980e4a0a3a659c48b3778da3f
Instruction Fuzzy Hash: 4E715B70A00619DFCB15DF54C484AAEBBF1FF48314F0484AAE81AAB392C778ED55CB95

Function 0045719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00457206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004572CF

Strings

DllGetClassObject, xrefs: 00457242

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 4f7d035fbaf591a0f1c64dd75996ba5d801f5aabbb2405501792511ea36c554a
Instruction ID: 288d3ac3eff892292c188fc2529126eaae122ad65bb0a034ecc1ba18efdaba2b
Opcode Fuzzy Hash: 4f7d035fbaf591a0f1c64dd75996ba5d801f5aabbb2405501792511ea36c554a
Instruction Fuzzy Hash: CE419C71A04204AFDB15CF54D884A9A7BA9EF44311F2084BEBD099F20BD7B8D949CBA4

Function 00483D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00483E35
IsMenu.USER32(?), ref: 00483E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00483E92
DrawMenuBar.USER32 ref: 00483EA5

Strings

0, xrefs: 00483D89

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 8299c17df2659600706619863ffa9c216fed3026fa191b69b166c19afa661cd0
Instruction ID: f6c2d2a1a4deea8a40c599ce2aad1867903000b5f97ddbe3c914a7a94992d74c
Opcode Fuzzy Hash: 8299c17df2659600706619863ffa9c216fed3026fa191b69b166c19afa661cd0
Instruction Fuzzy Hash: BE4157B5A00209EFDB10EF50D884EAEBBB9FF49751F04482AE905A7350D734AE41CF64

Function 00451DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00451E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00451E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00451EA9

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

Strings

ListBox, xrefs: 00451E25
ComboBox, xrefs: 00451DF0

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 72120f2c60223b2238c52ef7d839cf287bbabacc47816fe8e56a64143385eb39
Instruction ID: 35e224688e50caea6c60571086aaab4e7a76692bf33e5af16b58eec2849cb2bf
Opcode Fuzzy Hash: 72120f2c60223b2238c52ef7d839cf287bbabacc47816fe8e56a64143385eb39
Instruction Fuzzy Hash: FC210471A00108BADB15AB61DC86EFFB7A99F41355B10452FFC21A72E2DB384D0E8624

Function 00482F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00482F8D
LoadLibraryW.KERNEL32(?), ref: 00482F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00482FA9
DestroyWindow.USER32(?), ref: 00482FB1

Strings

SysAnimate32, xrefs: 00482F68

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a6511de4a483d2e7a0ec0b2001a616e941f7e6537babdbcd07a0eeb507805df7
Instruction ID: 80d5de0af434f61668b32ccf88fd23c519f72086dc27d985c05a3c36bc0b2eff
Opcode Fuzzy Hash: a6511de4a483d2e7a0ec0b2001a616e941f7e6537babdbcd07a0eeb507805df7
Instruction Fuzzy Hash: E521DE71204205ABEB106F64DD80EBF37B9EF59324F100A2AFB10D22A0D7B5DC51E768

Function 00414D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00414D1E,004228E9,?,00414CBE,004228E9,004B88B8,0000000C,00414E15,004228E9,00000002), ref: 00414D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00414DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00414D1E,004228E9,?,00414CBE,004228E9,004B88B8,0000000C,00414E15,004228E9,00000002,00000000), ref: 00414DC3

Strings

CorExitProcess, xrefs: 00414D98
mscoree.dll, xrefs: 00414D86

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4050e4f0fc484bbf60d369dde255f9506506b374edbb5025a27a51b794c1d269
Instruction ID: f67b8e7b84fa0227685d50cd649e1840f49ad20482eaef20398ac7bb5a572544
Opcode Fuzzy Hash: 4050e4f0fc484bbf60d369dde255f9506506b374edbb5025a27a51b794c1d269
Instruction Fuzzy Hash: 4FF04435540208BBDF115F90DC89BDEBFB5EF44752F0001BAF905A2650CB745984CB99

Function 003F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,003F4EDD,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003F4EAE
FreeLibrary.KERNEL32(00000000,?,?,003F4EDD,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4EC0

Strings

kernel32.dll, xrefs: 003F4E94
Wow64DisableWow64FsRedirection, xrefs: 003F4EA8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: b94aacea57ef6df3c4f139a12f76c71f64d28b04f1f358d8de4592f17554893a
Instruction ID: 8bbb6a6025578e0a075fafa09fb98840dada9822e9daaeda4258ba11409c1a2b
Opcode Fuzzy Hash: b94aacea57ef6df3c4f139a12f76c71f64d28b04f1f358d8de4592f17554893a
Instruction Fuzzy Hash: 0CE08635A025229B93331B257C9CB6F6554AF91F627060529FE00D2204DB74CD0586B8

Function 003F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00433CDE,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003F4E74
FreeLibrary.KERNEL32(00000000,?,?,00433CDE,?,004C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003F4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 003F4E6E
kernel32.dll, xrefs: 003F4E5B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 78c51bc9a8608a34c1f94b3ae0b9670e20980982652fe575c58df987e36d01b6
Instruction ID: 112e92a6e07d8ebd661fa414712a048df42e15fb21923cf218f380472265dcdc
Opcode Fuzzy Hash: 78c51bc9a8608a34c1f94b3ae0b9670e20980982652fe575c58df987e36d01b6
Instruction Fuzzy Hash: A8D0C231902A216747331B257C8CE9F2A18AF81F113060A29BA00A2114CF34CD058BF8

Function 00462947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00462C05
DeleteFileW.KERNEL32(?), ref: 00462C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00462C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00462CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00462CC0

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: a59899087fdc181bb6d60e9a08496fe3b4c15e4da31be87e003242eadf8b4b0c
Instruction ID: cff3721dd62224d4733f7ca604b5f28ffe661b59fce17a3db33d635910522b58
Opcode Fuzzy Hash: a59899087fdc181bb6d60e9a08496fe3b4c15e4da31be87e003242eadf8b4b0c
Instruction Fuzzy Hash: 4AB16D71D00519ABDF21DFA5CD85EEEB7BDEF48304F0040ABF609E6141EA74AA448F66

Function 0047A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0047A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047A468
CloseHandle.KERNEL32(?), ref: 0047A63D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: e795a3ec31d8b3333b752ad5d69bdc4b2f37b02adf69dd92a506a603688d011c
Instruction ID: 9101f8349bdc645d4afa901e53c13368dac5fc0234f88971e44455973263b30f
Opcode Fuzzy Hash: e795a3ec31d8b3333b752ad5d69bdc4b2f37b02adf69dd92a506a603688d011c
Instruction Fuzzy Hash: 72A19271604301AFD720DF24C886F2AB7E5AF84714F14885EF99A9B3D2D7B4EC418B96

Function 0042BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00493700), ref: 0042BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,004C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0042BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,004C1270,000000FF,?,0000003F,00000000,?), ref: 0042BC36
_free.LIBCMT ref: 0042BB7F

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 0042BD4B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 64fff4180e434b2fa8c47886a3fbf41696ccc4d88f3d877036c8820d2e64af6c
Instruction ID: 3040c917712896d96938e9be0a4ec278d38527fb432b08b0b2b5ecfb969084ec
Opcode Fuzzy Hash: 64fff4180e434b2fa8c47886a3fbf41696ccc4d88f3d877036c8820d2e64af6c
Instruction Fuzzy Hash: 87511B75A00229AFC710DF66AC819AEB7BCEF45354B9042BFE510E72A1DB349D418BD8

Function 0045E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0045DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0045CF22,?), ref: 0045DDFD

Part of subcall function 0045DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0045CF22,?), ref: 0045DE16

Part of subcall function 0045E199: GetFileAttributesW.KERNEL32(?,0045CF95), ref: 0045E19A

lstrcmpiW.KERNEL32(?,?), ref: 0045E473
MoveFileW.KERNEL32(?,?), ref: 0045E4AC
_wcslen.LIBCMT ref: 0045E5EB
_wcslen.LIBCMT ref: 0045E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0045E650

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 68056c9c11d7e2cc7ff175481599e167ed5f96956b3e33fb16262786a5d2199f
Instruction ID: 3e3792644c2b15de30c549d8b32823fbbe235963c53c8d08b541cb978745e86b
Opcode Fuzzy Hash: 68056c9c11d7e2cc7ff175481599e167ed5f96956b3e33fb16262786a5d2199f
Instruction Fuzzy Hash: 3D5143B24083455BC724DB91DC81ADF73DC9F85345F40491FFA89D3152EE78A68C876A

Function 0047B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 0047C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047B6AE,?,?), ref: 0047C9B5
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047C9F1
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA68
Part of subcall function 0047C998: _wcslen.LIBCMT ref: 0047CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0047BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0047BB63
RegCloseKey.ADVAPI32(?,?), ref: 0047BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0047BBB3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 9fc37692b305ea1e30b6f8701e84965689d60f6da53c23201f8e1d6c99fb9b84
Instruction ID: ea45b7f57c78be6f4c76c46cdf87d7c44c46ad107b91de1d7044262272379323
Opcode Fuzzy Hash: 9fc37692b305ea1e30b6f8701e84965689d60f6da53c23201f8e1d6c99fb9b84
Instruction Fuzzy Hash: EF618D71208205AFC715DF24C490F6ABBE5FF84348F14896EF4998B2A2DB35ED45CB92

Function 00458BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00458BCD
VariantClear.OLEAUT32 ref: 00458C3E
VariantClear.OLEAUT32 ref: 00458C9D
VariantClear.OLEAUT32(?), ref: 00458D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00458D3B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 66edca7ca2407f22df8dcef747c12ec4cf953db31d8008b5572c24ccf374b3f2
Instruction ID: 2e849b1ca5a765950828d2652af1a0bd95aecafebdcacea5f2f65136b40d39c9
Opcode Fuzzy Hash: 66edca7ca2407f22df8dcef747c12ec4cf953db31d8008b5572c24ccf374b3f2
Instruction Fuzzy Hash: C0516B75A00219EFCB10CF58D884AAAB7F4FF89314B15855EE905EB350EB34E915CF94

Function 00468AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00468BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00468BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00468C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00468C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00468C5F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: ee5bb0941af108fea5c3fc07102a36693d3c8e560e299293e201a750273a9658
Instruction ID: 06d479ca2b3734b4fc8d86815b9aec287f033a0e40dd2e7c0faa41041c49d1e7
Opcode Fuzzy Hash: ee5bb0941af108fea5c3fc07102a36693d3c8e560e299293e201a750273a9658
Instruction Fuzzy Hash: 20517F35A002199FCB01DF65C880E6EBBF1FF49314F088499E949AB3A2DB35ED45CB95

Function 00478EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00478F40
GetProcAddress.KERNEL32(00000000,?), ref: 00478FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00478FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00479032
FreeLibrary.KERNEL32(00000000), ref: 00479052

Part of subcall function 0040F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00461043,?,7644E610), ref: 0040F6E6
Part of subcall function 0040F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0044FA64,00000000,00000000,?,?,00461043,?,7644E610,?,0044FA64), ref: 0040F70D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 7bd57d15e0aced17d2e63fb0ca680dee1e7ba83762ca51ec0a8971681e9c4526
Instruction ID: 0b96e451d444d1befc40bed93c1fca63f9628f0bb71a743d2418cc9417b3235c
Opcode Fuzzy Hash: 7bd57d15e0aced17d2e63fb0ca680dee1e7ba83762ca51ec0a8971681e9c4526
Instruction Fuzzy Hash: A7513A34600249DFCB11DF54C4949AEBBB1FF49314B0480AAE909AB362DB35ED86CB95

Function 00486B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00486C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00486C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00486C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0046AB79,00000000,00000000), ref: 00486C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00486CC7

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: d236bde336d61c8c334a227b673dab045b6264b6dfdaf5adf3288df920343702
Instruction ID: 623ace157d3bea4d880104249c5b191ce1a232678b5c1caea025d30bd5d9eeb2
Opcode Fuzzy Hash: d236bde336d61c8c334a227b673dab045b6264b6dfdaf5adf3288df920343702
Instruction Fuzzy Hash: 4441C475600114AFD764EF28CC94FAE7BA5EB09350F160A2AE855A73A0C375ED41CB58

Function 00422051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004220C3
_free.LIBCMT ref: 004220E3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b9ae378d6313329409288605c0d4c6f6edb9be359c2080908d4a38f9408c0551
Instruction ID: 7a157c230d35d069c80f036a311ef01fe8b9751b9955dd3cf69241c3fca3ae4f
Opcode Fuzzy Hash: b9ae378d6313329409288605c0d4c6f6edb9be359c2080908d4a38f9408c0551
Instruction Fuzzy Hash: D8410272B00210AFCB20DF79DA80A6EB3E1EF88314F55416AE605EB391DB75AD01CB84

Function 0040912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00409141
ScreenToClient.USER32(00000000,?), ref: 0040915E
GetAsyncKeyState.USER32(00000001), ref: 00409183
GetAsyncKeyState.USER32(00000002), ref: 0040919D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9270e697019cca6681cef703a51e15bafb833c33720490776bddafa69a132760
Instruction ID: 12fdee1f1a38f8f84594a7dc0630a2f7cd4e6833b4cae735b61a70959561f857
Opcode Fuzzy Hash: 9270e697019cca6681cef703a51e15bafb833c33720490776bddafa69a132760
Instruction Fuzzy Hash: 21417E71A0861AFBEF059F64C844BEEB774FF05324F20822AE425A63D1C7786D51CB99

Function 00463874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00463922
TranslateMessage.USER32(?), ref: 0046394B
DispatchMessageW.USER32(?), ref: 00463955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00463966

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4b8c11409db7c3290a3e43b1e8c0ea10d70eb96e8f9b577abb962b85bf3d2771
Instruction ID: bb1ff0287ce62bead86746fbf48ef47533d84099492166c5736764d55e5b6b23
Opcode Fuzzy Hash: 4b8c11409db7c3290a3e43b1e8c0ea10d70eb96e8f9b577abb962b85bf3d2771
Instruction Fuzzy Hash: DB3166F05042C29AEB25DF359848FB737A4EB06305F14056FD452822A1F7B89A49CF2B

Function 0046CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0046C21E,00000000), ref: 0046CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0046CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0046C21E,00000000), ref: 0046CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0046C21E,00000000), ref: 0046CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0046C21E,00000000), ref: 0046CFF2

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 3d1fb62927bcddfa20a2496a6260a126a04015b2cd20b2fb08db60d2d8761e2e
Instruction ID: 9c3ddc967c751a7ade6131948b5875b9eb418af922d9731fab98147ca578dd46
Opcode Fuzzy Hash: 3d1fb62927bcddfa20a2496a6260a126a04015b2cd20b2fb08db60d2d8761e2e
Instruction Fuzzy Hash: 5D315C71A00205EFDB24DFA5C8C49BBBBFAEB14314B10443FF556D2280E738AD419BA9

Function 00451901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00451915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004519E2

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 683055d965d5d0f73c51b6f6fd133979469e80bfe5981f1650b09e97bf5d5d84
Instruction ID: cf04c11d3479dd832bb7c9fdfa244a2dc0576a669271394121f6e7d81948690d
Opcode Fuzzy Hash: 683055d965d5d0f73c51b6f6fd133979469e80bfe5981f1650b09e97bf5d5d84
Instruction Fuzzy Hash: 7831C2B1900219EFCB00CFA8CD99BDE7BB5EB44315F10462AFD21A72E2C7749958CB95

Function 00485706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00485745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0048579D
_wcslen.LIBCMT ref: 004857AF
_wcslen.LIBCMT ref: 004857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00485816

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 72966cf34525744898a78ee17a24685e042b14eae7dd5649e8d215c81a639326
Instruction ID: 0d47ab0328f5a9c208649f48ef07d21c5610cdd67dc58b692b1031197a26bcd4
Opcode Fuzzy Hash: 72966cf34525744898a78ee17a24685e042b14eae7dd5649e8d215c81a639326
Instruction Fuzzy Hash: 0D21A7759046189ADB21EF60CC84AEEB778FF04724F108527E919EA290D7788985CF58

Function 00470930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00470951
GetForegroundWindow.USER32 ref: 00470968
GetDC.USER32(00000000), ref: 004709A4
GetPixel.GDI32(00000000,?,00000003), ref: 004709B0
ReleaseDC.USER32(00000000,00000003), ref: 004709E8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b759e1380aa9fb0443a342eaf71adcf890c0eb93bcb835d5617ca5a005acfb41
Instruction ID: 4c1a644bd39ab56d325f435d2930e39008f364ea49e56b9ee79d5bf206111a51
Opcode Fuzzy Hash: b759e1380aa9fb0443a342eaf71adcf890c0eb93bcb835d5617ca5a005acfb41
Instruction Fuzzy Hash: 6D218175600204EFD704EF69D984AAEBBE5EF45704F04847DE94AA7362DB34AC04CBA4

Function 0042CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0042CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042CDE9

Part of subcall function 00423820: RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0042CE0F
_free.LIBCMT ref: 0042CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042CE31

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 4d6b05fa62f437465cb8563c70870579fbf9c1cc48e8a53afa23ddc98cf11c36
Instruction ID: ab4ed7389d663d788e30138c24c69d3cb8b70599e5139791fe481282a1b180fb
Opcode Fuzzy Hash: 4d6b05fa62f437465cb8563c70870579fbf9c1cc48e8a53afa23ddc98cf11c36
Instruction Fuzzy Hash: 180171727016257F23211AB67CCCD7F696DDEC6BA1356022EFD05C7201EE698D0282B9

Function 00409639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00409693
SelectObject.GDI32(?,00000000), ref: 004096A2
BeginPath.GDI32(?), ref: 004096B9
SelectObject.GDI32(?,00000000), ref: 004096E2

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 526dfb5cbb1455cd06a52f5f5a82e9d3b92a70ef3f0ef95632353e41a43033a1
Instruction ID: 2a881fd673e7b3cbc4d62aaec86b14e62f606b0f94515031a8b1652ee97cccf8
Opcode Fuzzy Hash: 526dfb5cbb1455cd06a52f5f5a82e9d3b92a70ef3f0ef95632353e41a43033a1
Instruction Fuzzy Hash: 9A2160B0802205EBDB519F64EC48BAE3BA4BB52755F10063AF810A71F2D3799C51CF9C

Function 00455711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00455726
_memcmp.LIBVCRUNTIME ref: 00455744
_memcmp.LIBVCRUNTIME ref: 00455757
_memcmp.LIBVCRUNTIME ref: 0045576F
_memcmp.LIBVCRUNTIME ref: 00455787

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7425f36336aa67442cc9338bcc0d1a3785359cb47cedcc5c7eeea41754ae10e5
Instruction ID: 86b9a5f6793469b74cfd8333fb500d9ef4fa62afca46ad5172b5eb541b639a0b
Opcode Fuzzy Hash: 7425f36336aa67442cc9338bcc0d1a3785359cb47cedcc5c7eeea41754ae10e5
Instruction Fuzzy Hash: 1201F97124160DBBE20866129D52FFF735C9B24399F200037FE049A642F72CEE5983AD

Function 00422DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0041F2DE,00423863,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6), ref: 00422DFD
_free.LIBCMT ref: 00422E32
_free.LIBCMT ref: 00422E59
SetLastError.KERNEL32(00000000,003F1129), ref: 00422E66
SetLastError.KERNEL32(00000000,003F1129), ref: 00422E6F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 7c1006676edab45d8dc8d4cb77b2bf3a6f1949eaab4604221b88ec36b6634287
Instruction ID: 2db0e56773ff726ca93f7f38992ab5d06686d5ce61b175164cda994466f7cd4a
Opcode Fuzzy Hash: 7c1006676edab45d8dc8d4cb77b2bf3a6f1949eaab4604221b88ec36b6634287
Instruction Fuzzy Hash: 6801D672345620778612273A7E86D2F166DABD53697E2053FF815A2292EBFC8C02613C

Function 0045000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?,?,0045035E), ref: 0045002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?), ref: 00450064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0044FF41,80070057,?,?), ref: 00450070

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b75d027f48b5e825f79303bb7c96ad05e951ca0622817d7c2c7dec60e943b104
Instruction ID: fc89c02eb80fed6cdd141bffd8de87b6559dfa88b645db80e913d4ba3ac1a0b9
Opcode Fuzzy Hash: b75d027f48b5e825f79303bb7c96ad05e951ca0622817d7c2c7dec60e943b104
Instruction Fuzzy Hash: 8901FD7A600204BFDB105F68EC84BAE7AEDEF44B93F144429FC01E2251E778DD048BA4

Function 0045E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0045E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0045E9A5
Sleep.KERNEL32(00000000), ref: 0045E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0045E9B7
Sleep.KERNEL32 ref: 0045E9F3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a50324662d0e1218a8f906d5f687127e41ca479a453d0824f51454bae5559095
Instruction ID: 4137c17ad77bb62216778add15f27ee6110b0852c3f8c11cc8e355379e2a0a52
Opcode Fuzzy Hash: a50324662d0e1218a8f906d5f687127e41ca479a453d0824f51454bae5559095
Instruction Fuzzy Hash: 4F016171C01529DBCF049FE6DD896DDBB78FF09301F00095AD911B2251DB349659CB69

Function 004510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00451114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 0045112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00450B9B,?,?,?), ref: 00451136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0045114D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 54acf899d3f826e15941afc8124a1ce44435828d79866adfd4a533c73fb8452f
Instruction ID: d6a950919ce7e060bbcd3bb3dad89b07e16068d242b1c11f48d1781e22f832b3
Opcode Fuzzy Hash: 54acf899d3f826e15941afc8124a1ce44435828d79866adfd4a533c73fb8452f
Instruction Fuzzy Hash: 06014675200605AFDB115BA4EC89A6B3B6EEF893A1B210869FA41C2360DB31DC008F74

Function 00450FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00450FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00450FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00450FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00450FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00451002

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f4fdfc6e0cabfd99bfa9bc54e1668afa6d2fe72fb22b90dca39f707b7007cc22
Instruction ID: ce851017a9f58ef336ed916b4544e7cf8b38b34f99dcbe3cc2704e8e171c0e87
Opcode Fuzzy Hash: f4fdfc6e0cabfd99bfa9bc54e1668afa6d2fe72fb22b90dca39f707b7007cc22
Instruction Fuzzy Hash: 34F04F35141311ABD7214FA4AC8DF5B3BADEF8AB62F504829FD45D62A1CB74DC408B74

Function 00451014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0045102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00451036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00451045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0045104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00451062

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: cb21f6d07ac06f4d43d6caf5f994881beaafa7d8420d551a81cc04dd43097b56
Instruction ID: 164a38c24bf4a6539ec3f7a2a760c9aff5126220a3ef2c4113a7a064d732aa83
Opcode Fuzzy Hash: cb21f6d07ac06f4d43d6caf5f994881beaafa7d8420d551a81cc04dd43097b56
Instruction Fuzzy Hash: 9AF04F35140311ABD7215FA4EC89F5B3B6DEF8AB61F100829FD45D62A1CB74D840CB74

Function 0046030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 00460324
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 00460331
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 0046033E
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 0046034B
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 00460358
CloseHandle.KERNEL32(?,?,?,?,0046017D,?,004632FC,?,00000001,00432592,?), ref: 00460365

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5185918a845fcdd9aceb98c9b0b4cf673fb398ae1863ed5e9ce3ed2012f917b2
Instruction ID: 79afb20e9566886d2cdd39e5621b3e7b1233f217922f30f39840716d7f77f868
Opcode Fuzzy Hash: 5185918a845fcdd9aceb98c9b0b4cf673fb398ae1863ed5e9ce3ed2012f917b2
Instruction Fuzzy Hash: B001D872800B118FCB30AF66D880803FBF9BE602063048A3FD19252A30C3B4A988CF85

Function 0042D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042D752

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 0042D764
_free.LIBCMT ref: 0042D776
_free.LIBCMT ref: 0042D788
_free.LIBCMT ref: 0042D79A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: abc00fba19c6e91fa9deaf960f98d5961126151f6999db5aabdc3789142fd0b0
Instruction ID: 9e1c207d8a0d9f7407614b5cfa84085a86f8c1a38e624d5d5de8273868220900
Opcode Fuzzy Hash: abc00fba19c6e91fa9deaf960f98d5961126151f6999db5aabdc3789142fd0b0
Instruction Fuzzy Hash: 63F0ECB2B44224AB9621FB65FAC5C1777DDBB88715BE40D1AF048D7601C76CFC80866C

Function 00455C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00455C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00455C6F
MessageBeep.USER32(00000000), ref: 00455C87
KillTimer.USER32(?,0000040A), ref: 00455CA3
EndDialog.USER32(?,00000001), ref: 00455CBD

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 216099eb2b955b81a1792f92980d30318e7a680943043a079a3d001227e67805
Instruction ID: 32dd5cd1801b477c65f7b53c62ab59eedc3f083d42b01472c63915e64471c120
Opcode Fuzzy Hash: 216099eb2b955b81a1792f92980d30318e7a680943043a079a3d001227e67805
Instruction Fuzzy Hash: C6018B305007049BFB215B10DD9EFBA77B8BF00706F00057EA553B14E2D7F459488B59

Function 004222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004222BE

Part of subcall function 004229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000), ref: 004229DE
Part of subcall function 004229C8: GetLastError.KERNEL32(00000000,?,0042D7D1,00000000,00000000,00000000,00000000,?,0042D7F8,00000000,00000007,00000000,?,0042DBF5,00000000,00000000), ref: 004229F0

_free.LIBCMT ref: 004222D0
_free.LIBCMT ref: 004222E3
_free.LIBCMT ref: 004222F4
_free.LIBCMT ref: 00422305

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5ee93e41e12c7ffbbc2cf98eb2c60c47a2bfc1de676cb4884282ddf3e87377f
Instruction ID: 0b8c2972e45432dc30bbcc891f9b4d0b469a72404b429d80875f93a0bccd7faa
Opcode Fuzzy Hash: d5ee93e41e12c7ffbbc2cf98eb2c60c47a2bfc1de676cb4884282ddf3e87377f
Instruction Fuzzy Hash: 04F030F8A00131EB8652BF55BD81C493B64FF19751781066FF410D2272C7B904919BAC

Function 004095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004095D4
StrokeAndFillPath.GDI32(?,?,004471F7,00000000,?,?,?), ref: 004095F0
SelectObject.GDI32(?,00000000), ref: 00409603
DeleteObject.GDI32 ref: 00409616
StrokePath.GDI32(?), ref: 00409631

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 37b56608fd0a9edbbd3517e72b309d242598582344d7d5688000c0e732398a37
Instruction ID: b4656f6ba40105e4bde705fbcafd01e4f7162818cf746b4be2cdf904052431e7
Opcode Fuzzy Hash: 37b56608fd0a9edbbd3517e72b309d242598582344d7d5688000c0e732398a37
Instruction Fuzzy Hash: 6AF0AF71006604EBCB964F65EC5CB693F61BB02362F008238F425651F2C73589A1DF2C

Function 00420F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004210F9
__freea.LIBCMT ref: 00421117

Part of subcall function 00421537: _free.LIBCMT ref: 0042154F

Strings

am/pm, xrefs: 0042117A
a/p, xrefs: 004211DE

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 6239c0da9ff634ac9cefcff382925dcf8355d0b3b7c7384fffb35dc4a677069a
Instruction ID: c5e4698813a9c4af943c3db86f69e1997b95dafd2aff0732bbe73b9414966e94
Opcode Fuzzy Hash: 6239c0da9ff634ac9cefcff382925dcf8355d0b3b7c7384fffb35dc4a677069a
Instruction Fuzzy Hash: 19D1F431B00225DADB24CF68E4457BBB7B2EF25300FA4415BE901ABB61D37D9D81CB59

Function 004761D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00410242: EnterCriticalSection.KERNEL32(004C070C,004C1884,?,?,0040198B,004C2518,?,?,?,003F12F9,00000000), ref: 0041024D
Part of subcall function 00410242: LeaveCriticalSection.KERNEL32(004C070C,?,0040198B,004C2518,?,?,?,003F12F9,00000000), ref: 0041028A

Part of subcall function 004100A3: __onexit.LIBCMT ref: 004100A9

__Init_thread_footer.LIBCMT ref: 00476238

Part of subcall function 004101F8: EnterCriticalSection.KERNEL32(004C070C,?,?,00408747,004C2514), ref: 00410202
Part of subcall function 004101F8: LeaveCriticalSection.KERNEL32(004C070C,?,00408747,004C2514), ref: 00410235

Part of subcall function 0046359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004635E4
Part of subcall function 0046359C: LoadStringW.USER32(004C2390,?,00000FFF,?), ref: 0046360A

Strings

x#L, xrefs: 0047633A
x#L, xrefs: 0047636F
x#L, xrefs: 00476353

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#L$x#L$x#L
API String ID: 1072379062-3109749233
Opcode ID: 42d6fa48107bac504f328288139bcb753810c6fa2d0a337204fb7fca3db60b8f
Instruction ID: 64644cbfe21e81e3d8290094617c863be5274d764b31de8964612e44997157cf
Opcode Fuzzy Hash: 42d6fa48107bac504f328288139bcb753810c6fa2d0a337204fb7fca3db60b8f
Instruction Fuzzy Hash: C7C18171A00509AFCB15DF58C890EFEB7BAEF48304F15806EE9099B291D778ED45CB54

Function 00425AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO?, xrefs: 00425BA8, 00425C6C

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: JO?
API String ID: 0-1137422323
Opcode ID: eabc6ac64bf6bd6d2587887213e2c3239758e657dc529657201679f9eb187f5e
Instruction ID: 42bf14f644f9c70790bf9e70532f370fee053671a2c07c4e20b76aa06930915e
Opcode Fuzzy Hash: eabc6ac64bf6bd6d2587887213e2c3239758e657dc529657201679f9eb187f5e
Instruction Fuzzy Hash: F6511471F006299FCB209FA6E845FEFBFB4AF05314F90005BF405A7291E6799942CB69

Function 00428A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00428B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00428B7A
__dosmaperr.LIBCMT ref: 00428B81

Strings

.A, xrefs: 00428A63

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .A
API String ID: 2434981716-2826776520
Opcode ID: 131ef08a987c4dd4d9255f4d742dd388d46d7bb78814c50dfcd2795cd6d4ecfe
Instruction ID: 2bf43f7b5097ca5df13844b0e462b77683e189a96c08f26ea9d9117d1d311627
Opcode Fuzzy Hash: 131ef08a987c4dd4d9255f4d742dd388d46d7bb78814c50dfcd2795cd6d4ecfe
Instruction Fuzzy Hash: 38419B70705065AFDB249F24E880A7E3FA5DB86304F2841AFF88587642DE399C13879C

Function 00452716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004521D0,?,?,00000034,00000800,?,00000034), ref: 0045B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00452760

Part of subcall function 0045B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0045B3F8

Part of subcall function 0045B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0045B355
Part of subcall function 0045B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00452194,00000034,?,?,00001004,00000000,00000000), ref: 0045B365
Part of subcall function 0045B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00452194,00000034,?,?,00001004,00000000,00000000), ref: 0045B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0045281A

Strings

@, xrefs: 00452832

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: dd9a91d6a072d4fcc85a7a71ff187ec7cd56c2a0713f776e6c93ad0c9c5991b1
Instruction ID: e90668d93938a6279794ad72d79abc866fc818a7bee1e7e1b9a656a0eacace2f
Opcode Fuzzy Hash: dd9a91d6a072d4fcc85a7a71ff187ec7cd56c2a0713f776e6c93ad0c9c5991b1
Instruction Fuzzy Hash: 8A413072900218BFDB11DFA4CD81AEEBBB8EF09304F00405AFA55B7181DB746E49CBA4

Function 0042172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00421769
_free.LIBCMT ref: 00421834
_free.LIBCMT ref: 0042183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00421760, 00421767, 00421796, 004217CE

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: 2832ee6f2c2c3f58f2def3893771a0290dbc36084f807ca731990cf8b3b2db84
Instruction ID: 1ea8e1ab5315a3f54a44d33a7c22d0e7cdba99f2ca4594f1815c1ad48fee725b
Opcode Fuzzy Hash: 2832ee6f2c2c3f58f2def3893771a0290dbc36084f807ca731990cf8b3b2db84
Instruction Fuzzy Hash: 30318375B00228ABDB21DF99A885D9FBBBCEB95310B9041ABF404D7221D6748E40CB98

Function 0045C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0045C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0045C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C1990,00D76E60), ref: 0045C395

Strings

0, xrefs: 0045C2DF

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 1425a686ac82443ea7252776575d4838a706adf5f26b9009950c577c51ef2059
Instruction ID: add060372f03583cecbcdaf44b3f711b842cc66fec8595c972d70fc03e72a044
Opcode Fuzzy Hash: 1425a686ac82443ea7252776575d4838a706adf5f26b9009950c577c51ef2059
Instruction Fuzzy Hash: 7C41A0312043059FD720DF25D884B5BBBE4AF85315F048A1EFDA597392D738A908CB6A

Function 00484416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0048CC08,00000000,?,?,?,?), ref: 004844AA
GetWindowLongW.USER32 ref: 004844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004844D7

Strings

SysTreeView32, xrefs: 0048447C

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: afe2ad2cef35db5cbcafa7ebd194f7480a4ad15c5cd822b730c08d1f026c6f02
Instruction ID: 2cf99836bc4f48fdab76a98b0447a851685c2ace728a725cdfaef6106466cd33
Opcode Fuzzy Hash: afe2ad2cef35db5cbcafa7ebd194f7480a4ad15c5cd822b730c08d1f026c6f02
Instruction Fuzzy Hash: 3F31C131100206AFDB11AE78DC45BEF77A9EB48734F204B2AF975A22E0D778EC508764

Function 00456E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00456EED
VariantCopyInd.OLEAUT32(?,?), ref: 00456F08
VariantClear.OLEAUT32(?), ref: 00456F12

Strings

*jE, xrefs: 00456E8B, 00456E90, 00456EF8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jE
API String ID: 2173805711-1396648982
Opcode ID: e2fb6829a1ca3b16d0031f8432823324313d5630aeaa728750f02c722f096386
Instruction ID: 99c24ddcb65b185a27d1f66cb27b117fc476fe0d11e576f07aec29c828396c7b
Opcode Fuzzy Hash: e2fb6829a1ca3b16d0031f8432823324313d5630aeaa728750f02c722f096386
Instruction Fuzzy Hash: 4931D572B04209DFCB05AF64E8918BE7776EF41301B5104AAF9064F3A2C7389916DBD9

Function 0047304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0047335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00473077,?,?), ref: 00473378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0047307A
_wcslen.LIBCMT ref: 0047309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00473106

Strings

255.255.255.255, xrefs: 00473095, 0047309A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 04a1b72b5d4d5c9ca727ec21764a4fa63870153be77be0588000162e723cb9ca
Instruction ID: df8d1bb0e29c041594ad45fb59a291a3d65859afcdc4808d2d78e24de66b505a
Opcode Fuzzy Hash: 04a1b72b5d4d5c9ca727ec21764a4fa63870153be77be0588000162e723cb9ca
Instruction Fuzzy Hash: 773104392002459FCB20DF28C585EEA77E0EF14319F64C09AE9198F392DB3AEE45D765

Function 00483EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00483F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00483F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00483F78

Strings

SysMonthCal32, xrefs: 00483F0B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 06617190fa9dbda3c7e4545b1f750867804897d449853bc6a17b693a306e63f8
Instruction ID: f13a9eb5eff0674d8fb5e1fd2f24cd496aee3b63822705db7b93e9bc87b6e012
Opcode Fuzzy Hash: 06617190fa9dbda3c7e4545b1f750867804897d449853bc6a17b693a306e63f8
Instruction Fuzzy Hash: 6921DD32600219BBDF129F50CC86FEE3B75EF48718F110619FB056B190D6B9A8508BA4

Function 00484653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00484705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00484713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0048471A

Strings

msctls_updown32, xrefs: 00484684

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 7aec3c8bedd70fa77579d7593d362f490542b86dfa62499b80c47dc2662f7215
Instruction ID: ac5090f713269a23a6e3698d3d26a0c0042a83fb5f1205bcf89921b4507b2825
Opcode Fuzzy Hash: 7aec3c8bedd70fa77579d7593d362f490542b86dfa62499b80c47dc2662f7215
Instruction Fuzzy Hash: 4A214CB5600209AFDB11EF64DCC1DBB37ADEB8A398B14045AFA009B361DB74EC11CB64

Function 004595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0045961D

Strings

#requireadmin, xrefs: 004595D9
#notrayicon, xrefs: 004595B7
#OnAutoItStartRegister, xrefs: 004595F3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: fceb15f2c9b39c84d44ec1d59db50b7068fba9b0f32d5c7ee053f69f86feb084
Instruction ID: 38d54739f330acf163edd163feb456cba4994d2f0005ec645b1fab792eb184f7
Opcode Fuzzy Hash: fceb15f2c9b39c84d44ec1d59db50b7068fba9b0f32d5c7ee053f69f86feb084
Instruction Fuzzy Hash: 6B214672204214A6C731BA25D802FBB73D89FA0311F54443BFD49DB282EB5CAD9EC29D

Function 004837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00483840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00483850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00483876

Strings

Listbox, xrefs: 0048380F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 80da046da61dc168ad6b88be062ac94df8f0284c97e23ad442574e95b965a020
Instruction ID: 172d8a895e10a3dc37e1b00a5c65662c75bb55efccbb1e87ff71bf6579525d45
Opcode Fuzzy Hash: 80da046da61dc168ad6b88be062ac94df8f0284c97e23ad442574e95b965a020
Instruction Fuzzy Hash: 2321C272610118BBEF11AF54CC85FBF37AEEF89B50F108525F9049B290CA75DC5287A4

Function 004649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00464A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00464A5C
SetErrorMode.KERNEL32(00000000,?,?,0048CC08), ref: 00464AD0

Strings

%lu, xrefs: 00464A6F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 97aacbc36b8044d25b4fd8df39f6dabdcb92055492918e1ae35c3a6cf4b61055
Instruction ID: d04aff682bde99685981fa4f1e50e51ca13b72045f524ffed2065ab9e75a3f50
Opcode Fuzzy Hash: 97aacbc36b8044d25b4fd8df39f6dabdcb92055492918e1ae35c3a6cf4b61055
Instruction Fuzzy Hash: E6315E75A00108AFDB11DF54C8C5EAE7BF8EF48308F1480AAE909DB252D775ED45CB65

Function 004841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0048424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00484264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00484271

Strings

msctls_trackbar32, xrefs: 00484226

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 481b04683586f995457d41140bce1b511f0e5710579673831528240fa1424656
Instruction ID: 7f3a72d5a9822bbddb3227102a6f4a82b6ebfb50ca3d9e2da9344c7aea177102
Opcode Fuzzy Hash: 481b04683586f995457d41140bce1b511f0e5710579673831528240fa1424656
Instruction Fuzzy Hash: 5E1127312442097EEF206F24CC06FAB3BACEFC5764F110525FA50E21A0D675D8119724

Function 00452F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

Part of subcall function 00452DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00452DC5
Part of subcall function 00452DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00452DD6
Part of subcall function 00452DA7: GetCurrentThreadId.KERNEL32 ref: 00452DDD
Part of subcall function 00452DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00452DE4

GetFocus.USER32 ref: 00452F78

Part of subcall function 00452DEE: GetParent.USER32(00000000), ref: 00452DF9

GetClassNameW.USER32(?,?,00000100), ref: 00452FC3
EnumChildWindows.USER32(?,0045303B), ref: 00452FEB

Strings

%s%d, xrefs: 00452FFF

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: e0628f99ed7d24c239f641f339120c05aaa841d817fddf00b13e0305ef5fec28
Instruction ID: 0f82be62f6a8490b1144474ad14ea74c86ebd7a04d8a69c83dd0b48039bb3a05
Opcode Fuzzy Hash: e0628f99ed7d24c239f641f339120c05aaa841d817fddf00b13e0305ef5fec28
Instruction Fuzzy Hash: 2211C3712002096BCF517F618C96EEE376AAF84306F04407ABD09AB297DE74590D8B74

Function 00485882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004858EE
DrawMenuBar.USER32(?), ref: 004858FD

Strings

0, xrefs: 0048588F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 198f232234e01e95adc014f44d7c146585b35e2f1d7c2af132e36eb807985718
Instruction ID: e81381b3c9e6d46153f12fa51f79368ad6beb73434b0621be6f651ac08f47256
Opcode Fuzzy Hash: 198f232234e01e95adc014f44d7c146585b35e2f1d7c2af132e36eb807985718
Instruction Fuzzy Hash: 3A016D71500218EFDB21AF11DC44BAFBBB4FB45760F1084AAE849D62A1DB348A84DF79

Function 0044D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0044D3BF
FreeLibrary.KERNEL32 ref: 0044D3E5

Strings

X64, xrefs: 0044D2A8
GetSystemWow64DirectoryW, xrefs: 0044D3B9

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: aaf8e93f4021ca041538ed19166f6528c15e24d6a2970b83f0293bc7c6039c5f
Instruction ID: b0696bc86667217f37066244b90b1209df304a4af4e88c7892c2e4331e05b46a
Opcode Fuzzy Hash: aaf8e93f4021ca041538ed19166f6528c15e24d6a2970b83f0293bc7c6039c5f
Instruction Fuzzy Hash: 1FF0A731D0561197F77166105CD8A9E3314BF11B01B9485ABE801F5259D7BCCD454BAE

Function 0045007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c6dfed696f992a9b071a2c212b819ba703cefb8ff64526375d46fdc43ec3b6
Instruction ID: b8d31c8e30f9867714135620b3f5367c86e0ec053039b3b191a7ae0cb794b4a4
Opcode Fuzzy Hash: e8c6dfed696f992a9b071a2c212b819ba703cefb8ff64526375d46fdc43ec3b6
Instruction Fuzzy Hash: 50C18D79A00206EFCB14CFA4C894EAEB7B5FF48705F208599E805EB252C735ED46CB94

Function 0047342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00473459
CoUninitialize.OLE32 ref: 00473463
VariantInit.OLEAUT32(?), ref: 0047346E
VariantClear.OLEAUT32(?), ref: 0047371B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 7c8f2fea7515512d3d85448716bfda3ec14cfefdda6625f16279de89057be490
Instruction ID: 2f1fbab8f1ada27a1bdf2192cd2baa2b6ffd6938156badaa2e9b301142842e70
Opcode Fuzzy Hash: 7c8f2fea7515512d3d85448716bfda3ec14cfefdda6625f16279de89057be490
Instruction Fuzzy Hash: CEA19875204300AFC710DF28C485A6AB7E4FF89714F04885EF98A9B362DB34EE05CB96

Function 00450436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0048FC08,?), ref: 004505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0048FC08,?), ref: 00450608
CLSIDFromProgID.OLE32(?,?,00000000,0048CC40,000000FF,?,00000000,00000800,00000000,?,0048FC08,?), ref: 0045062D
_memcmp.LIBVCRUNTIME ref: 0045064E

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 45a58d3d076695a54e398eac4ce27d9f78daf42622de22f41b43a22175234813
Instruction ID: 29e10c40c47206fd5e757fb4c94852a8b08ef0dd0a47c255cd2fa2bf66d597b4
Opcode Fuzzy Hash: 45a58d3d076695a54e398eac4ce27d9f78daf42622de22f41b43a22175234813
Instruction Fuzzy Hash: 54816D75A00109EFCB04DF94C984EEEB7B9FF89305F204559F906AB251DB35AE0ACB64

Function 0047A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0047A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0047A6BA

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0047A79C
CloseHandle.KERNEL32(00000000), ref: 0047A7AB

Part of subcall function 0040CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00433303,?), ref: 0040CE8A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: c2857f8bae50ccf973488137f8d98cf09317ac038af7d97be609cc9f21e69344
Instruction ID: 6aefa082078bfe665e11c855dec7822fee06fda605e69b5183af7871881dff64
Opcode Fuzzy Hash: c2857f8bae50ccf973488137f8d98cf09317ac038af7d97be609cc9f21e69344
Instruction Fuzzy Hash: BC515F71508304AFD711EF25C886A6FBBE8FF89754F00892EF58997291EB34D904CB96

Function 00431391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004314C0

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0ba9fd2ae4cb58d8a7af2469aa0a1e9ff2116a13a1de738134a8cb7651d0ddf7
Instruction ID: 65fe38f356106820a60d04bc5fa76b51e77e4f2d3ce91d67af362e7d655ff17d
Opcode Fuzzy Hash: 0ba9fd2ae4cb58d8a7af2469aa0a1e9ff2116a13a1de738134a8cb7651d0ddf7
Instruction Fuzzy Hash: 24417031B001106BDB217BBE9C456AF3AA5EF59374F14526FF419C22A1EA3C4842436A

Function 00486278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004862E2
ScreenToClient.USER32(?,?), ref: 00486315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00486382

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 911c606af295a787b4a3766a439d3a019795d3c26aa58ff2fbf9cadacde17486
Instruction ID: bf26de3b5c76c2014d17e6e465147e70337d8c0d6b767f2a7dd65807d9177419
Opcode Fuzzy Hash: 911c606af295a787b4a3766a439d3a019795d3c26aa58ff2fbf9cadacde17486
Instruction Fuzzy Hash: 81513974A00209EFCB50EF68D880AAE7BB5FF45360F11896AF9159B3A0D734ED81CB54

Function 00471AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00471AFD
WSAGetLastError.WSOCK32 ref: 00471B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00471B8A
WSAGetLastError.WSOCK32 ref: 00471B94

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 8428283f8050416f5ebf7b0488561589f8f98d5f5026d1d3822289270874f467
Instruction ID: 04d587302480ff1a46039f1ae9838fab5bd6750dec5dc57913cc03559adced7c
Opcode Fuzzy Hash: 8428283f8050416f5ebf7b0488561589f8f98d5f5026d1d3822289270874f467
Instruction Fuzzy Hash: E941CD34640200AFE720AF24C886F7A77E5AB44718F54C45DFA1A9F3D3D676ED428B94

Function 0042B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a512941bc1d3be2d9f402dc0c0347049f94c0bc74d8be09866ba624549a42d5f
Instruction ID: 4dbbb687ce08803d6b2904b2abc85c9ed469ba79cba645b179599302d466ca5d
Opcode Fuzzy Hash: a512941bc1d3be2d9f402dc0c0347049f94c0bc74d8be09866ba624549a42d5f
Instruction Fuzzy Hash: 5A412871B00714BFD724AF39DC41BAABBA9EB88724F50452FF041DB291D379994187C8

Function 004656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00465783
GetLastError.KERNEL32(?,00000000), ref: 004657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004657FA

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 287492ebae11acef57f92375cb3566da5ab585361ac42739bd4f0cd59289034a
Instruction ID: 6db8cb94d8adb7e77959142d57c7ce9fd982ee05a20edcc8404dc74d812db1c7
Opcode Fuzzy Hash: 287492ebae11acef57f92375cb3566da5ab585361ac42739bd4f0cd59289034a
Instruction Fuzzy Hash: A2415F39600615DFCB11EF15C544A2EBBE2EF49720F188889E94A9F362DB74FD04CB95

Function 0042D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00416D71,00000000,00000000,004182D9,?,004182D9,?,00000001,00416D71,?,00000001,004182D9,004182D9), ref: 0042D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0042D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0042D9AB
__freea.LIBCMT ref: 0042D9B4

Part of subcall function 00423820: RtlAllocateHeap.NTDLL(00000000,?,004C1444,?,0040FDF5,?,?,003FA976,00000010,004C1440,003F13FC,?,003F13C6,?,003F1129), ref: 00423852

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 45e4b629cabeb92348585a4bce684911f2aa2609615f5cba37da1d56d055a9eb
Instruction ID: 2d21967d96219998749e279bb71ecf0606d33e7e3d333c3a58ce5c69c84fec97
Opcode Fuzzy Hash: 45e4b629cabeb92348585a4bce684911f2aa2609615f5cba37da1d56d055a9eb
Instruction Fuzzy Hash: 0531A2B1A0021AABDB24DF65EC85EAF7BA5EF40310F55416AFC04D6250D739CD90CB94

Function 004852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00485352
GetWindowLongW.USER32(?,000000F0), ref: 00485375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00485382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004853A8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: ba6f3999685d0090d5ab95176e841b19abb24325cec4f3446a5bc94c2a8094bf
Instruction ID: e70f3620527e6c2764c816a27b9ffa480f7a1e11828a126de148c2cbba6651d0
Opcode Fuzzy Hash: ba6f3999685d0090d5ab95176e841b19abb24325cec4f3446a5bc94c2a8094bf
Instruction Fuzzy Hash: 5931D434A55A08FFEB31AA14CC45FEE3761AB05391F584817FE10962E1C7B89E40975A

Function 0045AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0045ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0045AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0045AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0045ACC6

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7d4cbe66620f7de7d23d469b15cfc3d21ba169c9687879f13cca2997caa7c61a
Instruction ID: 4564a86129828aa74d7430e056d0f9d07519d8dd45eaf3e8c792136e9bbbd318
Opcode Fuzzy Hash: 7d4cbe66620f7de7d23d469b15cfc3d21ba169c9687879f13cca2997caa7c61a
Instruction Fuzzy Hash: 3D311A309002186FEF36CB6588097FF7AA5AB45312F04471FE885562D2D37C89A9875A

Function 00487674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0048769A
GetWindowRect.USER32(?,?), ref: 00487710
PtInRect.USER32(?,?,00488B89), ref: 00487720
MessageBeep.USER32(00000000), ref: 0048778C

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c4b38b935814676999221f87bff22fc02c9c679519accbbda6eefcd573613144
Instruction ID: 33f65d4ad6bc72ac19a14467af8ca03fdc10735e762505de6fa8c2415a8587c7
Opcode Fuzzy Hash: c4b38b935814676999221f87bff22fc02c9c679519accbbda6eefcd573613144
Instruction Fuzzy Hash: 4F419C786052149FCB01EF58C8A4EAD77F4FB4A314F2848AAE8149B361D338F941DF98

Function 004816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004816EB

Part of subcall function 00453A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00453A57
Part of subcall function 00453A3D: GetCurrentThreadId.KERNEL32 ref: 00453A5E
Part of subcall function 00453A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004525B3), ref: 00453A65

GetCaretPos.USER32(?), ref: 004816FF
ClientToScreen.USER32(00000000,?), ref: 0048174C
GetForegroundWindow.USER32 ref: 00481752

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b5c39435ed996edab490c315d1c37d66f5a4a2c00e300833b467c14cb8b8b8f7
Instruction ID: 873be6987ef57565644f96d5261316af38b997820b4839d611ea5a08d4c5e351
Opcode Fuzzy Hash: b5c39435ed996edab490c315d1c37d66f5a4a2c00e300833b467c14cb8b8b8f7
Instruction Fuzzy Hash: EA316375D00249AFC700EFA9C881CAEB7FDEF48304B50446EE515E7211D7359E45CBA4

Function 00488FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

GetCursorPos.USER32(?), ref: 00489001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00447711,?,?,?,?,?), ref: 00489016
GetCursorPos.USER32(?), ref: 0048905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00447711,?,?,?), ref: 00489094

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 8e3744e6610c1db73ec4652158673a4499d8772b61d8b77c237cd8a45dbf94ca
Instruction ID: f545f30ff115bfb87a4bb7a597e0e07735d77431f3fc65bbbe1c1214c80004ab
Opcode Fuzzy Hash: 8e3744e6610c1db73ec4652158673a4499d8772b61d8b77c237cd8a45dbf94ca
Instruction Fuzzy Hash: 17218035600418EFCB159F94CC98EFF7BB9EB4A350F18446AF50657261C3399D50EB64

Function 0045D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0048CB68), ref: 0045D2FB
GetLastError.KERNEL32 ref: 0045D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0045D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0048CB68), ref: 0045D376

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b8c16c7a2b396faa9b40f1cf2c293b32620aa9a38ec57e1c8638ce89e1cf9064
Instruction ID: 7480bcd365b1839bf4ad789e6773b70588f94403a762613714b2cb3a41a4d2a5
Opcode Fuzzy Hash: b8c16c7a2b396faa9b40f1cf2c293b32620aa9a38ec57e1c8638ce89e1cf9064
Instruction Fuzzy Hash: 5B21B4709052019F8310DF24C88196F77E4AE55365F104A6EFC99C72A2D734D90ACB97

Function 00451571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00451014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0045102A
Part of subcall function 00451014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00451036
Part of subcall function 00451014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00451045
Part of subcall function 00451014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0045104C
Part of subcall function 00451014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00451062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004515BE
_memcmp.LIBVCRUNTIME ref: 004515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00451617
HeapFree.KERNEL32(00000000), ref: 0045161E

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d22d1c8aeee8fe0e9bea036b78023a41a082773f4326d2f6d3e5519a341669a7
Instruction ID: 708d80028e30d103f1581c5b261554e3694ae9a963a13cf1c0f622b2cc6efdff
Opcode Fuzzy Hash: d22d1c8aeee8fe0e9bea036b78023a41a082773f4326d2f6d3e5519a341669a7
Instruction Fuzzy Hash: 7F218E31E40108EFDF00DFA4C985BEFB7B8EF44345F08445AE851A7252E738AA09CBA4

Function 00482782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0048280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00482824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00482832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00482840

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 66d288930e6181414b7d5d5d48e833d953d816221b65b94918c3ac50538796bc
Instruction ID: 0b9e71695a6da889295fcdcb40523162e44daf6eb8dbd385221ecdd65c634f7a
Opcode Fuzzy Hash: 66d288930e6181414b7d5d5d48e833d953d816221b65b94918c3ac50538796bc
Instruction Fuzzy Hash: B8210331204511AFDB14BB24C984FAEBB95EF45324F14865EF8268B6E2C7B9FC42C794

Function 004578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00458D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0045790A,?,000000FF,?,00458754,00000000,?,0000001C,?,?), ref: 00458D8C
Part of subcall function 00458D7D: lstrcpyW.KERNEL32(00000000,?,?,0045790A,?,000000FF,?,00458754,00000000,?,0000001C,?,?,00000000), ref: 00458DB2
Part of subcall function 00458D7D: lstrcmpiW.KERNEL32(00000000,?,0045790A,?,000000FF,?,00458754,00000000,?,0000001C,?,?), ref: 00458DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00458754,00000000,?,0000001C,?,?,00000000), ref: 00457923
lstrcpyW.KERNEL32(00000000,?,?,00458754,00000000,?,0000001C,?,?,00000000), ref: 00457949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00458754,00000000,?,0000001C,?,?,00000000), ref: 00457984

Strings

cdecl, xrefs: 0045797B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1a4936699f057a846d97b1d926b6242bebcfa5a63331c20976c955c5212e6593
Instruction ID: eba83ae82543d235a64b1b3eeb507fb383546400172e47e14a996bb93330b060
Opcode Fuzzy Hash: 1a4936699f057a846d97b1d926b6242bebcfa5a63331c20976c955c5212e6593
Instruction Fuzzy Hash: A611E47A200241ABDB159F35D884E7B77A5FF85351B10403FEC02C73A6EB359805C7A9

Function 00487CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00487D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00487D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00487D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0046B7AD,00000000), ref: 00487D6B

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: b91eb02d5017581bbbecc1bbbec7c083d4ed65961bbf244036779149a5c89ef8
Instruction ID: e755ed532245cf58aae579a9894451f8e52385cf6d2a872ff709b529a7d1c4b9
Opcode Fuzzy Hash: b91eb02d5017581bbbecc1bbbec7c083d4ed65961bbf244036779149a5c89ef8
Instruction Fuzzy Hash: A211C032504614AFCB10AF28CC54E6A3BA4AF463A0B258B39F835D72F0E734D911CB58

Function 00485660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004856BB
_wcslen.LIBCMT ref: 004856CD
_wcslen.LIBCMT ref: 004856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00485816

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 3bb96afa704a5a26be2ec43385794c604ea98f28719872ff7185309e01c9760e
Instruction ID: d19430b1cf300465235462a6f7ddad68ece222a7b8f65f06225857e5dc0e7603
Opcode Fuzzy Hash: 3bb96afa704a5a26be2ec43385794c604ea98f28719872ff7185309e01c9760e
Instruction Fuzzy Hash: 7711E17560060896DF20FF61CC81BEF77ACAF01764B10482BF919E6181EB78CA84CB68

Function 00421D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e2e92c2c135f162d0f94fe89e72a60bd69d68c70ed0c4d4348da8133e7c6f6
Instruction ID: cdc8c5e3c210a284f70de2a395bab3b4bfe26e5a938eb59c667212c1ec70a138
Opcode Fuzzy Hash: 19e2e92c2c135f162d0f94fe89e72a60bd69d68c70ed0c4d4348da8133e7c6f6
Instruction Fuzzy Hash: 3701A2F231562ABEF62116797CC0F27661CDF513B8BB1072BF521912E2DB78AC414178

Function 00451A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00451A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00451A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00451A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00451A8A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 858eaf93702a05780f6710ead0720aaa13c8bb139259831702c86703b0003869
Instruction ID: 155ce6991d4b67cf5d9cf5077bb4da9994e553436604a270445afca39f600bcc
Opcode Fuzzy Hash: 858eaf93702a05780f6710ead0720aaa13c8bb139259831702c86703b0003869
Instruction Fuzzy Hash: F4113C3AD01219FFEB11DBA5CD85FADBB78EB04750F2000A6EA00B7290D6716E50DB98

Function 0045E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0045E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0045E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0045E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0045E24D

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d57009abc8b0a8a07c854bab77bc9e927cf9f4516044d260973ef8a22a89a3eb
Instruction ID: 0fdd78955012a35e7a50c88c50ded66ec9ae3a0577fac1a87a1a4478523b885d
Opcode Fuzzy Hash: d57009abc8b0a8a07c854bab77bc9e927cf9f4516044d260973ef8a22a89a3eb
Instruction Fuzzy Hash: 25110872904254BBD7059FA9AC49E9F7FACDB45315F00466AFC24D32A2D6B48E0487B8

Function 0041D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0041CFF9,00000000,00000004,00000000), ref: 0041D218
GetLastError.KERNEL32 ref: 0041D224
__dosmaperr.LIBCMT ref: 0041D22B
ResumeThread.KERNEL32(00000000), ref: 0041D249

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 08e25b354951f1c0dd05cac1a3489100ce8e14b2ab71963222abf8c890f95aba
Instruction ID: ea23e5cb49b2f9a058dcd1a7e7182827785a7648d8e1e47843ae33961e0331a0
Opcode Fuzzy Hash: 08e25b354951f1c0dd05cac1a3489100ce8e14b2ab71963222abf8c890f95aba
Instruction Fuzzy Hash: 160126B6D041047BC7115BA6DC49BEF7B69DF81334F20026EF825921D0CB758882C7A9

Function 00489EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00409BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00409BB2

GetClientRect.USER32(?,?), ref: 00489F31
GetCursorPos.USER32(?), ref: 00489F3B
ScreenToClient.USER32(?,?), ref: 00489F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00489F7A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 6196870a7da3a9268960c1df6adaffcb5d97f620f1558e7d5c2449df051d2306
Instruction ID: 6c8fdab96d30f23f3801f4e475ba7da2af5b4883d525d5c9bd4658821f25b927
Opcode Fuzzy Hash: 6196870a7da3a9268960c1df6adaffcb5d97f620f1558e7d5c2449df051d2306
Instruction Fuzzy Hash: 06116A3150051AABDB05EF59C885DFE77B8FB05311F04086AFA02E3151D338BE81CBA9

Function 003F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003F604C
GetStockObject.GDI32(00000011), ref: 003F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 003F606A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3de90b0be5d9082c450123add0be58aaac9c90bccaec4198b30f0fc11a1a363c
Instruction ID: cb805cffc32a631ee514fb4a1c3ec3acb275646e226185e981e3f945f4fcae02
Opcode Fuzzy Hash: 3de90b0be5d9082c450123add0be58aaac9c90bccaec4198b30f0fc11a1a363c
Instruction Fuzzy Hash: BE118B7210550EBFEF124FA48C85EFABB69EF083A4F110226FA0552020DB329C60DBA4

Function 00413B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00413B56

Part of subcall function 00413AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00413AD2
Part of subcall function 00413AA3: ___AdjustPointer.LIBCMT ref: 00413AED

_UnwindNestedFrames.LIBCMT ref: 00413B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00413B7C
CallCatchBlock.LIBVCRUNTIME ref: 00413BA4

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 0f63c6f4fba2aa4e331f40f41c64457b5adeaca745f58fb13cca8157044ebeb1
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2A014072100148BBDF115E96CC42EEB3F6DEF88759F04401AFE4856121D73AE9A1DBA4

Function 00423073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003F13C6,00000000,00000000,?,0042301A,003F13C6,00000000,00000000,00000000,?,0042328B,00000006,FlsSetValue), ref: 004230A5
GetLastError.KERNEL32(?,0042301A,003F13C6,00000000,00000000,00000000,?,0042328B,00000006,FlsSetValue,00492290,FlsSetValue,00000000,00000364,?,00422E46), ref: 004230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0042301A,003F13C6,00000000,00000000,00000000,?,0042328B,00000006,FlsSetValue,00492290,FlsSetValue,00000000), ref: 004230BF

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: f4ddf92c34f8531e2a71e11ef54e8b32ddf90b0df4921d10bfbe1a406d6ecb7a
Instruction ID: a72b0896432964981b10554a49ad5ac60cc6df7d2df6b5a655a47aad46782a79
Opcode Fuzzy Hash: f4ddf92c34f8531e2a71e11ef54e8b32ddf90b0df4921d10bfbe1a406d6ecb7a
Instruction Fuzzy Hash: 8201D832741236ABC7214E78BC8495777A89F05B62B500A35F905E3244C73DD901C7F8

Function 00457464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0045747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00457497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004574CA

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 0f5de836845b58a9110449f0ecedc88268bb53e79c24e422514f2d14a148bc58
Instruction ID: 6bd56ac1acfb4f64e91b87b1af515c939a419867e8b570f856d89a0ab287a723
Opcode Fuzzy Hash: 0f5de836845b58a9110449f0ecedc88268bb53e79c24e422514f2d14a148bc58
Instruction Fuzzy Hash: 9411A1B1205310ABE7208F24ED48F967BFCEB01B01F10857EEE16D6152D774E948DBA5

Function 0045B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0045ACD3,?,00008000), ref: 0045B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0045ACD3,?,00008000), ref: 0045B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0045ACD3,?,00008000), ref: 0045B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0045ACD3,?,00008000), ref: 0045B126

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a2dcaf173d5d01ad79728f0c8fa1be6449115417faf9b6635410db79523a5e32
Instruction ID: ee867ad59def7efabe93f633a680ae38d2aba54d8ef32ddd81d9c959849d6d3a
Opcode Fuzzy Hash: a2dcaf173d5d01ad79728f0c8fa1be6449115417faf9b6635410db79523a5e32
Instruction Fuzzy Hash: 07115E31C0191CE7CF00AFE5D9986EEBB78FF09752F10449AD941B2286CB3455558BA9

Function 00487E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00487E33
ScreenToClient.USER32(?,?), ref: 00487E4B
ScreenToClient.USER32(?,?), ref: 00487E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00487E8A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 80d1a173c37a97c6e55b1eabff071eab7e4fcabeb761f877d09646504da3ba7f
Instruction ID: 785e13a838e5945cab849a65381a0fd07e56071f69a4e4886ccf7e1206afa025
Opcode Fuzzy Hash: 80d1a173c37a97c6e55b1eabff071eab7e4fcabeb761f877d09646504da3ba7f
Instruction Fuzzy Hash: 0E1156B9D0020AAFDB41DF98C884AEEBBF5FF08310F505466E925E3210D735AA54CF64

Function 00452DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00452DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00452DD6
GetCurrentThreadId.KERNEL32 ref: 00452DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00452DE4

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f4c5248827b2d2522d2f6581495337f4db9706d865129cb870306f496eb75569
Instruction ID: 4a7181158fd758e8389356ccdb70296c6c4d816c4fb4366791348b1a0ad8357e
Opcode Fuzzy Hash: f4c5248827b2d2522d2f6581495337f4db9706d865129cb870306f496eb75569
Instruction Fuzzy Hash: 8FE06D711412247AD7201B62AC8DFEB3E6CEB43BA2F00052AB905E1081AAA88849C7B4

Function 00488863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00409639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00409693
Part of subcall function 00409639: SelectObject.GDI32(?,00000000), ref: 004096A2
Part of subcall function 00409639: BeginPath.GDI32(?), ref: 004096B9
Part of subcall function 00409639: SelectObject.GDI32(?,00000000), ref: 004096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00488887
LineTo.GDI32(?,?,?), ref: 00488894
EndPath.GDI32(?), ref: 004888A4
StrokePath.GDI32(?), ref: 004888B2

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f00771b6e33574313da17159c0d68837b3eae0e3b5a17d96ff1ca9f4c0999387
Instruction ID: bf58733776772d6f6cef47067b1d94fd51f29bc13e0285c622ae118d30030de2
Opcode Fuzzy Hash: f00771b6e33574313da17159c0d68837b3eae0e3b5a17d96ff1ca9f4c0999387
Instruction Fuzzy Hash: 3DF03A36041258FADB126F94AC49FCE3B59AF06310F448429FA11651E2C7B95511CFAD

Function 004098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004098CC
SetTextColor.GDI32(?,?), ref: 004098D6
SetBkMode.GDI32(?,00000001), ref: 004098E9
GetStockObject.GDI32(00000005), ref: 004098F1

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: a25465d619de842e9eddbea3d1797facefca1aed0756ff273ea85f70b548d9a4
Instruction ID: 3084669143e3b42f37cee25a02c4bf846bf0e195b17a2f0655dae9eab89bc20b
Opcode Fuzzy Hash: a25465d619de842e9eddbea3d1797facefca1aed0756ff273ea85f70b548d9a4
Instruction Fuzzy Hash: F6E06531244240BEEB215B74BC4DBED3F10AB11335F04862EF6F5581E1C37556419F24

Function 0045162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00451634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004511D9), ref: 0045163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004511D9), ref: 00451648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004511D9), ref: 0045164F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9308e8288ff3231809e6777c344af42d0f8fd138b8850db35bce294ae59073ee
Instruction ID: 6da2111cf45dcd7b1c4ab75b25fc3d76e34d1fba515434d7f42e88afbb5813e9
Opcode Fuzzy Hash: 9308e8288ff3231809e6777c344af42d0f8fd138b8850db35bce294ae59073ee
Instruction Fuzzy Hash: CAE04F316012119BD7201BF4AD4DB4B3B68AF56792F154C2DF646C9090D638444587A8

Function 0044D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0044D858
GetDC.USER32(00000000), ref: 0044D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0044D882
ReleaseDC.USER32(?), ref: 0044D8A3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b575fdd04b5741a331108a805ac3fffd82ae8a3a4789143bb800cd5e29319459
Instruction ID: 99c979eb747547dd4dd6bc36a802745f9c9227c1c7ad9ed7ba9e6754b043d6b9
Opcode Fuzzy Hash: b575fdd04b5741a331108a805ac3fffd82ae8a3a4789143bb800cd5e29319459
Instruction Fuzzy Hash: 61E01AB4C00205DFCB41AFF4D94866DFBB2FB48310F108829E906F7250D7384902AF69

Function 0044D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0044D86C
GetDC.USER32(00000000), ref: 0044D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0044D882
ReleaseDC.USER32(?), ref: 0044D8A3

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f20b1af578cd7b14dc56216c9b09a9e2836dc538b2cd5d03bdbef0a4535b0687
Instruction ID: d2794ebbd97957c92b67e3e79c0d2f79d4b04198eb684f3a331811f0b7f56c38
Opcode Fuzzy Hash: f20b1af578cd7b14dc56216c9b09a9e2836dc538b2cd5d03bdbef0a4535b0687
Instruction Fuzzy Hash: 1CE01A74C00204DFCB419FB4D84866DBBB1BB48310B108829E90AF7250D7385902AF64

Function 00464D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 003F7620: _wcslen.LIBCMT ref: 003F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00464ED4

Strings

*, xrefs: 00464E10
LPT, xrefs: 00464DFB

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: dc7ab85eeeed8f049c14426c73a4698b13a3b6f12aa3e887bcbb5f6af3d7f625
Instruction ID: dcd355d666b1b54ac28dde6d93a25ecd94d18034b52544ac1b7b774975fe1ceb
Opcode Fuzzy Hash: dc7ab85eeeed8f049c14426c73a4698b13a3b6f12aa3e887bcbb5f6af3d7f625
Instruction Fuzzy Hash: B8915275A00204DFCB15DF54C484EAABBF1BF85304F15809AE40A9F3A2D779EE85CB96

Function 00477771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0044569E,00000000,?,0048CC08,?,00000000,00000000), ref: 004778DD

Part of subcall function 003F6B57: _wcslen.LIBCMT ref: 003F6B6A

CharUpperBuffW.USER32(0044569E,00000000,?,0048CC08,00000000,?,00000000,00000000), ref: 0047783B

Strings

<sK, xrefs: 004777C8

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sK
API String ID: 3544283678-925661131
Opcode ID: f444af60002007334f2516599114996cc39040fef85855513c95570659e02502
Instruction ID: dad47bb313354f1058a1043a51790bea501ef376986ad03f30b8db2fea784a56
Opcode Fuzzy Hash: f444af60002007334f2516599114996cc39040fef85855513c95570659e02502
Instruction Fuzzy Hash: 326182B691411DAACF06FBA4CC91DFEB3B4BF14300B844526E606B7191EF785A05CBA5

Function 0040E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0040E1B1

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 2440b0f3792a3e41879cd639ed595abd2a9ee93bba7ee2aa31b8a06dcf989439
Instruction ID: 3b3e955dd0938784010ff088bc04d699b5e65e78dd195bcb016fdb6a90862baf
Opcode Fuzzy Hash: 2440b0f3792a3e41879cd639ed595abd2a9ee93bba7ee2aa31b8a06dcf989439
Instruction Fuzzy Hash: D5512235500246DFEB15DF2AC0816BA7BA4FF15320F2444ABED91AB3D0D6389D53CBA9

Function 0040F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0040F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0040F2BB

Strings

@, xrefs: 0040F2AF

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: ff86ace38ad50c242942c2da51fe4fa8429775e908fe6b7b403cc42f6278cd4b
Instruction ID: d71ef60d6d28df093a1bd47a7fec7bf62fff155a859680e9ebda4eca05d0413b
Opcode Fuzzy Hash: ff86ace38ad50c242942c2da51fe4fa8429775e908fe6b7b403cc42f6278cd4b
Instruction Fuzzy Hash: 7E516B714187499BD320AF14D886BAFBBF8FF84304F81885DF295451A5EB308529CB6A

Function 00475745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004757E0
_wcslen.LIBCMT ref: 004757EC

Strings

CALLARGARRAY, xrefs: 004757E6, 004757EB

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 3c1bde3c91842aa1de9cdbca21c4e229995d9f17009ae9420a5ea8b63d03b76a
Instruction ID: 6ad8ce6d639ad521ac0f53c792e6e2658fa01199f4ec9469f7fb7f91ccb03421
Opcode Fuzzy Hash: 3c1bde3c91842aa1de9cdbca21c4e229995d9f17009ae9420a5ea8b63d03b76a
Instruction Fuzzy Hash: 6741C331A001099FCB14EFAAC8819FEBBB4EF59314F11806FE509AB391D7789D81CB95

Function 0046D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0046D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0046D13A

Strings

|, xrefs: 0046D10B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: c17dcebfa271b5bfc7af6e3aa754f062b81ec15eda6f6e11a5167fe05911fce3
Instruction ID: 821326b579eb6f70cd99bbf15193cc7c6946395a5b9ef2a8d782d8a7e47e2499
Opcode Fuzzy Hash: c17dcebfa271b5bfc7af6e3aa754f062b81ec15eda6f6e11a5167fe05911fce3
Instruction Fuzzy Hash: 41315D71D00209ABCF15EFA5CD85AEFBFB9FF15300F00001AF915AA261E775AA46CB65

Function 0048356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00483621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0048365C

Strings

static, xrefs: 004835BC

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 32c6ecd26b16019dc41a459c9c05e0351126903f6fb3341868c2382a8ace9eff
Instruction ID: e83edfcdf0dc67c7699a9147ffd355f3409b9cee61ad98b817227ed9203f3f3a
Opcode Fuzzy Hash: 32c6ecd26b16019dc41a459c9c05e0351126903f6fb3341868c2382a8ace9eff
Instruction Fuzzy Hash: 0E31A171110604AADB20EF28DC80EBF73A9FF48B24F108A1EF95597290DA34AD81C768

Function 00484537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0048461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00484634

Strings

', xrefs: 0048458E

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d1dc95981cc3bea59e580ab29c8111d41d413f96a16d6d1a7778da92cd078879
Instruction ID: 37667daf07ac6d207e9b774d3a0ffd8943d16143bea6b5b7a1cee2fcca5f2084
Opcode Fuzzy Hash: d1dc95981cc3bea59e580ab29c8111d41d413f96a16d6d1a7778da92cd078879
Instruction Fuzzy Hash: FD313B74A0130AAFDB14DF69C980BDE7BB5FF49300F10446AEA04AB351E774A941CF94

Function 004831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0048327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00483287

Strings

Combobox, xrefs: 00483249

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 650782aca9830cc24231331b53894bcc6d0bcb1114ca101288279bb128657dd0
Instruction ID: b50a2c0fa1905e0fe9f2230b493bf8a7fd59f102dfbe8c1e8dc15dd6ec523132
Opcode Fuzzy Hash: 650782aca9830cc24231331b53894bcc6d0bcb1114ca101288279bb128657dd0
Instruction Fuzzy Hash: C611E2713002087FEF21AF94DC80EBF376AEB947A5F10092AF91897290D6399D518764

Function 00483710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 003F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003F604C
Part of subcall function 003F600E: GetStockObject.GDI32(00000011), ref: 003F6060
Part of subcall function 003F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003F606A

GetWindowRect.USER32(00000000,?), ref: 0048377A
GetSysColor.USER32(00000012), ref: 00483794

Strings

static, xrefs: 00483757

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a8f36c70c47c451fcafbd036c14ce7749d5aca08f70bde0c460f1388066573e4
Instruction ID: a5bbf71c25b5a8e37c54d464ec363aee4df3fc81e342fe45c1e8bf28d0903bed
Opcode Fuzzy Hash: a8f36c70c47c451fcafbd036c14ce7749d5aca08f70bde0c460f1388066573e4
Instruction Fuzzy Hash: C7112CB2610209AFDF01EFA8CC45EEE7BB8EB08715F004929FD55E2250D739E8519B64

Function 0046CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0046CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0046CDA6

Strings

<local>, xrefs: 0046CD66

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6b987dc0bb975297d6b6c6ecf4dd23fd29772f8bd8ee67fb7b584689486d32b7
Instruction ID: c289eba94e55c98190403c0229ddabb3ee848b5623763387be6dc5b6a9a52223
Opcode Fuzzy Hash: 6b987dc0bb975297d6b6c6ecf4dd23fd29772f8bd8ee67fb7b584689486d32b7
Instruction Fuzzy Hash: F111E3712416327AD7244A668CC4EF7BE68EB127A4F00423BB18982180E2789841D6F6

Function 00483429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004834BA

Strings

edit, xrefs: 0048348F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5b4670f76a7e6c0d0025eed22a16ab55b088ddf301a9595303d92ffe039dda13
Instruction ID: 3edef9051a05f4ad5ede105c0293ca18cbe50c15722231db17cad7db1dda5cd1
Opcode Fuzzy Hash: 5b4670f76a7e6c0d0025eed22a16ab55b088ddf301a9595303d92ffe039dda13
Instruction Fuzzy Hash: CE11B271100108ABEF126E64DC84EBF3769EF05B79F504B25F961932E0C779DC519B68

Function 00456C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00456CB6
_wcslen.LIBCMT ref: 00456CC2

Strings

STOP, xrefs: 00456CBC, 00456CC1

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: a5beb92ab42562fd2a552c6d71bf3792904a36609ab94fb0b506b4c8ccc247f2
Instruction ID: c72283bdb6e785cd5a50e9544192f77368ef9428af47e7499e6fb7ccb397521d
Opcode Fuzzy Hash: a5beb92ab42562fd2a552c6d71bf3792904a36609ab94fb0b506b4c8ccc247f2
Instruction Fuzzy Hash: 63012B326005268BCB129FBDDC809BF73B4EF60711782093AEC5297292FB39D808C654

Function 00451CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00451D4C

Strings

ListBox, xrefs: 00451D16
ComboBox, xrefs: 00451CEB

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3da06001e0e5cc69b9a4cd498e23a604fe7019d479da1bc9fbd0ebe902bce9c9
Instruction ID: 6e709eae5c10d8f685173847b66a73278914703210920fa0a1c6060094d2e0cc
Opcode Fuzzy Hash: 3da06001e0e5cc69b9a4cd498e23a604fe7019d479da1bc9fbd0ebe902bce9c9
Instruction Fuzzy Hash: B901B571641218AB8B05EFA4CD51BFE7778EB46391B14051BEC226B3D2EA35690CC664

Function 00451BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00451C46

Strings

ListBox, xrefs: 00451C10
ComboBox, xrefs: 00451BE5

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3ec74e24040678cb29cba38bfa1a77b81c0e2d9878ac671691b677db9cf95c27
Instruction ID: 5321e339e67e64625824bc12bd4a71fb9a5194f200638ddf89c1eebbfba71e29
Opcode Fuzzy Hash: 3ec74e24040678cb29cba38bfa1a77b81c0e2d9878ac671691b677db9cf95c27
Instruction Fuzzy Hash: 9701A77568110867CF16EBA0CA51BFF77A89F11381F14001BED0677292EA299E0CC6B9

Function 00451C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00451CC8

Strings

ListBox, xrefs: 00451C94
ComboBox, xrefs: 00451C69

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 48f6816dc4d500f6bfaeb3243107f436f0265aa736101e95eda48cc63cad1fb8
Instruction ID: b6c09de2dc953b272af3a22bfd5aef36263feba1326fdbee55ae27234e447657
Opcode Fuzzy Hash: 48f6816dc4d500f6bfaeb3243107f436f0265aa736101e95eda48cc63cad1fb8
Instruction Fuzzy Hash: DE01A77168011867CB06EBA1CA01BFF77A89B11381F14001BBD0177292EA299F0CD679

Function 0040A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040A529

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Strings

3yD, xrefs: 0040A545, 0040A54D, 0040A552
,%L, xrefs: 0040A509

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%L$3yD
API String ID: 2551934079-3642919373
Opcode ID: d0b809af134bc98950cd52a3f4e90ef4639bdc8077e5f0154f7a69a32d61aefd
Instruction ID: 5ab62c6bd05ac69ddcd140697fe3376f5014cf52d054cb5af948ff70202326f7
Opcode Fuzzy Hash: d0b809af134bc98950cd52a3f4e90ef4639bdc8077e5f0154f7a69a32d61aefd
Instruction Fuzzy Hash: D301D431600714A7C601B7699D56FAE3354AB05710F50407BF6016B2C2DEE86D41869F

Function 00451D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F9CB3: _wcslen.LIBCMT ref: 003F9CBD

Part of subcall function 00453CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00453CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00451DD3

Strings

ListBox, xrefs: 00451DA0
ComboBox, xrefs: 00451D75

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6257ed49def0119955b0f069e0307805775196c950f0552d122c1c1e40d93449
Instruction ID: 612fc270ae02a47e251d1cb6befa42ca734e6dbb07ad02f81a04ff397a0b50bd
Opcode Fuzzy Hash: 6257ed49def0119955b0f069e0307805775196c950f0552d122c1c1e40d93449
Instruction Fuzzy Hash: A1F0F971A4021867CB05EBA4CD51BFF7778AB01381F04091BFD22672D2DA74690C8278

Function 00488172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C3018,004C305C), ref: 004881BF
CloseHandle.KERNEL32 ref: 004881D1

Strings

\0L, xrefs: 0048818A

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0L
API String ID: 3712363035-986396046
Opcode ID: 35cf3ea13c74382cb6998ddb586b3a8a126fab2cfdd7352e71f3decc0878cc01
Instruction ID: da257b87bb91ff51fcf37b2d2a1594b93bdbb2c958f9b001e785ba8557aedd20
Opcode Fuzzy Hash: 35cf3ea13c74382cb6998ddb586b3a8a126fab2cfdd7352e71f3decc0878cc01
Instruction Fuzzy Hash: A1F05EB6640304BAE2606F62AC45FBB7A5CEB05756F00843ABF08D51A2D6798E5093BC

Function 0047747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00477493
_wcslen.LIBCMT ref: 004774B9

Strings

3, 3, 16, 1, xrefs: 00477483

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 0e076b82779361c2bb68f1a79e6eb005a6d962856891511f7669d524e1ba6d63
Instruction ID: 36233daa3f9898c654f70fd0fcf7ceb5be08fc8c5b6e64ef883a8eb51223dc5c
Opcode Fuzzy Hash: 0e076b82779361c2bb68f1a79e6eb005a6d962856891511f7669d524e1ba6d63
Instruction Fuzzy Hash: 1FE02B52214220109231127B9CC1AFF56C9DFC57A0754182FF989C2376EA9C8DD193A8

Function 00450B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00450B23

Strings

Error allocating memory., xrefs: 00450B1C
AutoIt, xrefs: 00450B17

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 026466bfe67cbba3a90cabec3f1bbda13b81c69114465ba3ee418a443f62ddbb
Instruction ID: 869d1843a7365dc1a8f51508c66bf949824a20061e35050d80445225caa36c0b
Opcode Fuzzy Hash: 026466bfe67cbba3a90cabec3f1bbda13b81c69114465ba3ee418a443f62ddbb
Instruction Fuzzy Hash: 27E0923124430826D22037957C43F8D7A848F05B15F20087BFB58695C38AF9649406FD

Function 00410D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0040F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00410D71,?,?,?,003F100A), ref: 0040F7CE

IsDebuggerPresent.KERNEL32(?,?,?,003F100A), ref: 00410D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003F100A), ref: 00410D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00410D7F

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: e0cd60ce23fa2ecb8f36239a59c21b3e263680f1713eb660d56893c8d6122463
Instruction ID: c4277ac6cd3ab9bb44b547bbcadcbf513f2423766d1c8734ad5e2c3276531fa6
Opcode Fuzzy Hash: e0cd60ce23fa2ecb8f36239a59c21b3e263680f1713eb660d56893c8d6122463
Instruction Fuzzy Hash: 30E065742003418BD3709FBDE4447567BE0AB04744F004D7FE485C6661DBF8E4888BA9

Function 0040E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040E3D5

Strings

8%L, xrefs: 0040E3CA
0%L, xrefs: 0040E3B5

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%L$8%L
API String ID: 1385522511-1843137276
Opcode ID: 0f7adedca6ebbddbdec51a2c67c4fa9d5de1fa10f6ea186bfbbcf27f1e1e70ea
Instruction ID: 10d0eae6355482df773069b516a3310d1c73e7b1f18e7878440c28dfc4b59d9e
Opcode Fuzzy Hash: 0f7adedca6ebbddbdec51a2c67c4fa9d5de1fa10f6ea186bfbbcf27f1e1e70ea
Instruction Fuzzy Hash: B4E02631404D20EBC644971AFA54E8B3751AB05324B9005BFE912DB2D19FFCA881864D

Function 00463017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0046302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00463044

Strings

aut, xrefs: 00463038

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3cea96de7a3df90bc702ffe997299be339f960b961d6c14e78d223247a584d19
Instruction ID: f912b82e12f10efe338c51d993a90e7a0776d82cb6828ee697e7147ce3013bc1
Opcode Fuzzy Hash: 3cea96de7a3df90bc702ffe997299be339f960b961d6c14e78d223247a584d19
Instruction Fuzzy Hash: DFD05E7290032867DA20A7A4AC4EFCB3A6CDB05750F0006A2B655E20D1DAB49984CBE4

Function 0044D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0044D220

Strings

X64, xrefs: 0044D2A8
%.3d, xrefs: 0044D22B

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b7ec393e3a1cfec2d5cb17c0ecd44d28c060e3016eae38446b5c684628432f47
Instruction ID: 41b13a4bfb4db8a0a1ca279ee16640d4413be2f21cfbd5ce45bb72d9b4e9f8bb
Opcode Fuzzy Hash: b7ec393e3a1cfec2d5cb17c0ecd44d28c060e3016eae38446b5c684628432f47
Instruction Fuzzy Hash: A6D01271C08109EADB9096D0DC499B9B3BCBB18301F6084F7F806A1080D67CD50AAB6B

Function 00482356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0048236C
PostMessageW.USER32(00000000), ref: 00482373

Part of subcall function 0045E97B: Sleep.KERNEL32 ref: 0045E9F3

Strings

Shell_TrayWnd, xrefs: 00482365

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1d23d2627472f676ef8bcec9cb10a70fe0cf15fc92ff182b941620b284c292e1
Instruction ID: b14a1ba4671a0685fec3fd162f3559e034165f786b7be58066e99570eb128328
Opcode Fuzzy Hash: 1d23d2627472f676ef8bcec9cb10a70fe0cf15fc92ff182b941620b284c292e1
Instruction Fuzzy Hash: 9ED0A932380310BAE668A3319C4FFCA66049B00B00F10092A7601AA0D1C8B8A8058B2C

Function 00482322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0048232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0048233F

Part of subcall function 0045E97B: Sleep.KERNEL32 ref: 0045E9F3

Strings

Shell_TrayWnd, xrefs: 00482325

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b7b262553f65fb67b2463da8379f08ce7c2362fd3c30e2ac9042e5b9bef5c53b
Instruction ID: 0d71512fa325f669820b90115187d654578d191bf0ad3af7a0155e1ea1293dd2
Opcode Fuzzy Hash: b7b262553f65fb67b2463da8379f08ce7c2362fd3c30e2ac9042e5b9bef5c53b
Instruction Fuzzy Hash: EDD0A932380310B6E668A3319C4FFCA6A049B00B00F10092A7605AA0D1C8B8A8058B28

Function 0042BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0042BE93
GetLastError.KERNEL32 ref: 0042BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0042BEFC

Memory Dump Source

Source File: 00000000.00000002.2233942974.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2233739685.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234663702.00000000004B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234944034.00000000004BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2234999880.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 8ccf57f277798dd0a3b58693584c1dd79b6faec761580d3b8ade76109032e562
Instruction ID: 03eea1cc856796477a0e63fbe9924034ba77201f0c32bb72e704a9de58a0cb08
Opcode Fuzzy Hash: 8ccf57f277798dd0a3b58693584c1dd79b6faec761580d3b8ade76109032e562
Instruction Fuzzy Hash: 02413831700226AFCF218F65ED84ABB7BA5EF01350F56416EF959973A1DB348C01CBA8

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2310472639.000001BBD0269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2345016035.000001BBD0269000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2379434891.000001BBCE872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2407371566.000001BBDA71C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2367567309.000001BBDA663000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2367567309.000001BBDA663000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2387511476.000001BBD7594000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2407371566.000001BBDA71C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2398817192.000001BBD7594000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2367567309.000001BBDA663000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2367567309.000001BBDA663000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2394729869.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2423404275.000001BBD11B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2409684872.000001BBD236E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2402921597.000001BBD236E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2420990824.000001BBD236E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2409684872.000001BBD236E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2402921597.000001BBD236E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2420990824.000001BBD236E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2409684872.000001BBD236E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2402921597.000001BBD236E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2420990824.000001BBD236E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2387511476.000001BBD7594000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387665352.000001BBD7582000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2407371566.000001BBDA71C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2387665352.000001BBD7582000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2398966883.000001BBD7582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2407231463.000001BBDA799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2398202057.000001BBD75F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2387187064.000001BBD75F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2367623159.000001BBD75F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: file.exe	Virustotal: Detection: 40%			Perma Link
Source: file.exe	ReversingLabs: Detection: 47%

Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:62171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:62172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:62177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.6:62179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:62178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:62182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:62184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:62183 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:62185 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:62191 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:62196 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:62195 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:62194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:62192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:62193 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:62197 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:62198 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 62185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62197
Source: unknown	Network traffic detected: HTTP traffic on port 62165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 62184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62173
Source: unknown	Network traffic detected: HTTP traffic on port 62180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62174
Source: unknown	Network traffic detected: HTTP traffic on port 62190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62164
Source: unknown	Network traffic detected: HTTP traffic on port 62166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62168
Source: unknown	Network traffic detected: HTTP traffic on port 62187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62201
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62169
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62180
Source: unknown	Network traffic detected: HTTP traffic on port 62183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62182
Source: unknown	Network traffic detected: HTTP traffic on port 62164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62185
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62175
Source: unknown	Network traffic detected: HTTP traffic on port 62201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62176
Source: unknown	Network traffic detected: HTTP traffic on port 62167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62179
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62190
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62193
Source: unknown	Network traffic detected: HTTP traffic on port 62182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62194
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62196
Source: unknown	Network traffic detected: HTTP traffic on port 62178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62187
Source: unknown	Network traffic detected: HTTP traffic on port 62168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 62204 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c718ef7e-2ca1-4383-a4c1-d816fd111324.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c718ef7e-2ca1-4383-a4c1-d816fd111324.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\99F7SNUZHKUULQH09V4S.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YUBLRWGSKZZD2VKECLE7.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\store.json.mozlz4.tmp

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre